Checks whether the period between the time when an AccessKey pair of a RAM user was created and the time when the compliance evaluation starts is shorter than or equal to the period specified by the input parameter.
Scenario
An AccessKey pair may be disclosed in code, configuration files, or cloud storage files, and thus stolen by an attacker. Regular rotation of AccessKey pairs reduces the business losses if an AccessKey pair is leaked.
Risk level
Default risk level: high.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If the period between the time when an AccessKey pair of a RAM user was created and the time when the compliance evaluation starts is shorter than or equal to the period specified by the input parameter, the evaluation result is compliant.
- If the period between the time when an AccessKey pair of a RAM user was created and the time when the compliance evaluation starts is longer than the period specified by the input parameter, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-user-ak-create-date-expired-check |
| Rule ID | ram-user-ak-create-date-expired-check |
| Tag | RAM and User |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Time interval | 24 hours |
| Supported resource type | RAM user |
| Input parameter | days. Default value: 90.
|
Non-compliance remediation
Rotate the AccessKey pairs of the RAM user. For more information, see Rotate AccessKey pairs.