Checks whether each Resource Access Management (RAM) user is in the Activated state and has less than two AccessKey pairs that have been created for more than the specified number of days. If so, the evaluation result is Compliant. We recommend that each RAM user has one valid AccessKey pair in most cases and has two valid AccessKey pairs during rotation.
Scenarios
Regularly clean and rotate the AccessKeys of RAM users to reduce the risk of AccessKey leaks.
Risk level
Default risk level: Medium.
You can change the risk level as needed.
Detection logic
If each RAM user is in the Activated state and has less than two AccessKey pairs that have been created for more than the specified number of days, the evaluation result is Compliant.
If a RAM user is not in the Activated state or has two or more AccessKey pairs that have been created for more than the specified number of days, the evaluation result is Non-compliant.
Rule details
Item | Description |
Rule name | A RAM user has no more than one valid AccessKey |
Rule identifier | |
Tag | AK |
Automatic remediation | Not supported |
Rule trigger | Configuration change |
Supported resource type | RAM user |
Input parameters | days. Default value: 30 |
Remediation
Ensure that the RAM user is active and has fewer than two AccessKeys. For more information, see Disable an AccessKey for a RAM user.