A RAM user in the Activated state that has fewer than two AccessKey pairs created for more than the specified number of days is evaluated as Compliant. We recommend that each RAM user maintain only one valid AccessKey pair and hold two only during key rotation.
Scenarios
Regularly clean up and rotate RAM user AccessKey pairs to reduce the risk of leaks.
Risk level
Default risk level: Medium.
You can change the risk level as needed.
Detection logic
-
If a RAM user is in the Activated state and has fewer than two AccessKey pairs created for more than the specified number of days, the evaluation result is Compliant.
-
If a RAM user is not in the Activated state or has two or more AccessKey pairs created for more than the specified number of days, the evaluation result is Non-compliant.
Rule details
|
Item |
Description |
|
Rule name |
A RAM user has no more than one valid AccessKey |
|
Rule identifier |
|
|
Tag |
AK |
|
Automatic remediation |
Not supported |
|
Rule trigger |
Configuration change |
|
Supported resource type |
RAM user |
|
Input parameters |
days. Default value: 30 |
Remediation
Make sure the RAM user is active and has fewer than two AccessKey pairs. For more information, see Disable an AccessKey for a RAM user.