Access keys are the long-lived form of Identity and Access Management (IAM) credentials. Consequently, they are frequently leaked in source code, build logs, and configuration files.
IAM users with old, unrecycled access keys are risky as access keys never expire and frequently get leaked.
Long-lived IAM credentials pose a lower risk when paired with enforced two-factor authentication (2FA). As a matter of good security hygiene, the age of access keys should be audited and acted on continuously.
Identify affected resources
The easiest way to identify IAM users with old access keys is to generate an IAM credential report.
aws iam generate-credential-report
Then, retrieve the credential report. The report is returned as a CSV file, Base64-encoded.
aws iam get-credential-report --query Content --output text | base64 -d
You can identify users with old access keys based on the values in the
Remediate vulnerable resources
If the access key is not needed anymore, disable and remove it. You can use the credential report fields
access_key_2_last_used_date to assess if an access key has recently been used. If the access key is still needed, you can rotate it.
How Datadog can help
Datadog CSM detects this vulnerability using the following out-of-the-box rules:
How to Rotate Access Keys for IAM Users
Managing access keys for IAM users