Extending Access keys duration, and Custom Config rules

0

Hi. Rally hope someone can shed some light on this questions:

I understand as a best practice, access key age should be 90 days or less.

a - Is this 90 day limit set in stone? Can we have users who can have access keys going over 90 days and still use their keys? b - If maximum age is 90 days, what happens after 90 days? Do they keys stay on the console, and we have to delete them manually? Or do they get deleted automatically by AWS?

c - I was reading this article: https://aws.amazon.com/blogs/mt/announcing-aws-config-custom-rules-using-guard-custom-policy/

Can I use the above approach to create custom Config rules with Guard policy that checks the age of the access keys and only throws non-compliant error if the access key is over 365 days?

If I cannot use this approach, is there any other way?

thanks

Qadri
已提問 3 個月前檢視次數 197 次
2 個答案
2
已接受的答案

a) The 90 day limit for access keys is a best practice recommendation rather than a strict limit. Access keys can technically work for longer than 90 days. However, keeping keys rotated frequently helps reduce security risks in case a key gets compromised.

b) After 90 days, access keys will continue to work. They do not get automatically deleted. It is recommended to periodically review keys and delete any that are no longer needed.

c) Yes, it is possible to create a custom Config rule using GuardDuty policies to check the age of access keys and trigger a non-compliant finding if they exceed 365 days. The blog post you referenced provides guidance on building custom Config rules with GuardDuty policies.

Some additional points:

Using IAM roles with temporary security credentials helps reduce risks compared to long-term access keys. Where possible, applications should assume roles rather than use static keys.

Be sure to regularly review all access keys for all users and delete any that are no longer needed.

profile picture
專家
已回答 3 個月前
profile picture
專家
已審閱 2 個月前
profile picture
專家
Steve_M
已審閱 3 個月前
0

I found out that the JSON property that gives out access key age is called.

configuration.createDate

This property can be used to check when the key was created

Qadri
已回答 3 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南