access-keys-rotated - AWS Config

access-keys-rotated

Checks if active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.

Warning

Do not provide your access keys to unauthorized parties, even to help find your account identifiers. By doing this, you might give someone permanent access to your account. The security best practice is to remove passwords and access keys when users no longer need them.

Note

Working with AWS resources

If the rule finds that any of your access keys are noncompliant, the AWS::IAM::User resource type will also be marked as noncompliant in the AWS console.

The AWS::IAM::User resource type can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. AWS::IAM::User cannot be recorded in Regions supported by AWS Config after February 2022.

Additionally, if you have selected to record AWS::IAM::User in at least one Region, periodic rules such as this rule that report compliance on AWS::IAM::User will run evaluations on AWS::IAM::User in all Regions where the periodic rule is added, even if you have not enabled the recording of AWS::IAM::User in the Region where the periodic rule was added.

You should only deploy this rule to one of the supported Regions to avoid unnecessary evaluations and API throttling. Not enabling the recording of global IAM resource types will not prevent this rule from running evaluations, if you have enable the recording of global IAM resource types in another Region. To avoid unnecessary evaluations, you should limit the deployment of this rule to one Region.

Limitations

The rule does not apply to AWS account root user access keys. To delete or rotate your root user access keys, use your root user credentials to sign in to the My Security Credentials page in the AWS Management Console at https://aws.amazon.com/console/.

Identifier: ACCESS_KEYS_ROTATED

Resource Types: AWS::IAM::User

Trigger type: Periodic

AWS Region: All supported AWS regions except Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

Parameters:

maxAccessKeyAge
Type: int
Default: 90

Maximum number of days without rotation. Default 90.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.