Do not setup access keys during initial user setup for all IAM users that have a console password
| Rating | 🛑 - High |
|---|---|
Description
IAM users can have multiple credentials, for example passwords, or access keys.
Vulnerability
Access to the AWS account needs to be restricted to avoid the account being compromised. While having an access key is not strictly an issue, having access keys, and a console password would raise concerns on the multiple ways a user can gain access to the system, resulting in a potential breach if the credentials are not properly managed. Note that while AWS CIS v.1.20 is specifically checking access keys created with user created, AWS Security Info will check for any console user that also has access keys.
Remediation
To remediate this issue, either remove the console password, or remove the access keys.
References
- AWS CIS v.1.4.0 - 1.11
- AWS CIS v.1.2.0 - 1.21