An AccessKey for a Resource Access Management (RAM) user is considered compliant if it was created within a specified number of days.
Scenario
An AccessKey pair may be disclosed in code, configuration files, or cloud storage files, and thus stolen by an attacker. Regular rotation of AccessKey pairs reduces the business losses if an AccessKey pair is leaked.
Risk level
Default risk level: High.
You can change the risk level as needed.
Detection logic
An AccessKey for a RAM user is considered compliant if it was created within a specified number of days. The default value is 90 days.
Rule details
Parameter | Description |
Rule name | Rotate the AccessKey of a RAM user within a specified period |
Rule identifier | |
Automatic remediation | Not supported |
Rule trigger | Every 24 hours and on configuration changes |
Supported resource types | ACS::RAM::User |
Input parameters | days (Default value: 90) |
Remediation
For remediation steps, see Rotate the AccessKey of a RAM user.