About
Access keys are the long-lived form of Identity and Access Management (IAM) credentials. Consequently, they are frequently leaked in source code, build logs, and configuration files.
Understanding Impact
Business Impact
IAM users with old, unrecycled access keys are risky as access keys never expire and frequently get leaked.
Technical Impact
Long-lived IAM credentials pose a lower risk when paired with enforced two-factor authentication (2FA). As a matter of good security hygiene, the age of access keys should be audited and acted on continuously.
Identify affected resources
The easiest way to identify IAM users with old access keys is to generate an IAM credential report.
aws iam generate-credential-report
Then, retrieve the credential report. The report is returned as a CSV file, Base64-encoded.
aws iam get-credential-report --query Content --output text | base64 -d
You can identify users with old access keys based on the values in the access_key_1_last_rotated and access_key_2_last_rotated dates.
Remediate vulnerable resources
If the access key is not needed anymore, disable and remove it. You can use the credential report fields access_key_1_last_used_date and access_key_2_last_used_date to assess if an access key has recently been used. If the access key is still needed, you can rotate it.
How Datadog can help
CSM
Datadog CSM detects this vulnerability using the following out-of-the-box rules:
References
How to Rotate Access Keys for IAM Users
aws documentation
Managing access keys for IAM users
aws documentation