- Newest
- Most votes
- Most comments
a) The 90 day limit for access keys is a best practice recommendation rather than a strict limit. Access keys can technically work for longer than 90 days. However, keeping keys rotated frequently helps reduce security risks in case a key gets compromised.
b) After 90 days, access keys will continue to work. They do not get automatically deleted. It is recommended to periodically review keys and delete any that are no longer needed.
c) Yes, it is possible to create a custom Config rule using GuardDuty policies to check the age of access keys and trigger a non-compliant finding if they exceed 365 days. The blog post you referenced provides guidance on building custom Config rules with GuardDuty policies.
Some additional points:
Using IAM roles with temporary security credentials helps reduce risks compared to long-term access keys. Where possible, applications should assume roles rather than use static keys.
Be sure to regularly review all access keys for all users and delete any that are no longer needed.
I found out that the JSON property that gives out access key age is called.
configuration.createDate
This property can be used to check when the key was created
Relevant content
- Accepted Answerasked 6 months ago
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 5 months ago
Hi @Giovanni Thanks for the answer. You mentioned that custom Config rule can be used GuardDuty policies to check the age of access keys. I am looking at this Config rule schema for IAM User. I cannot see maxAccessKeyAge (or any other property) that can provide access key age.
Am I looking at the correct schema? thanks https://github.com/awslabs/aws-config-resource-schema/blob/master/config/properties/resource-types/AWS%3A%3AIAM%3A%3AUser.properties.json