New IAM User Has Access Keys

Overview

The AWS console does not create access keys by default when creating a new user since these are static credentials that would then need to be shared/communicated. Human users should create their own access keys, and service accounts should create access keys in a separate process from initial provisioning and then store the keys in a secrets manager.

When creating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.

Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.

Note: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.

Vendor

AWS

Cloud Service

IAM

CIS AWS v1.5.0 1.11, CIS3.AWS.1.11

References

https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

Severity

Item Types

AWS::IAM::User

Overview​

Vendor​

Cloud Service​

Related Requirements​

Related Controls​

References​

Severity​

Item Types​