Setting up an automated system to manage the access keys in the company's AWS account

• You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices.

• When you request a report, IAM first checks whether a report for the AWS account has been generated within the past four hours.

  • If so, the most recent report is downloaded.

  • If not, IAM generates and downloads a new report.

• GenerateCredentialReport - Generates a credential report for the AWS account.

• GetCredentialReport - Retrieves a credential report for the AWS account.

• UpdateAccessKey - Changes the status of the specified access key from Active to Inactive, etc.

• Config has a managed rule called access-keys-rotated that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge.

  • However, you still need to create a custom remediation action using Systems Manager Automation to disable the access keys.

    • Config will only monitor and notify you if there is a noncompliant key in your account.

• For example, if you have to automatically disable all IAM user access keys that are more than 90 days old:

  • Develop a Lambda function that calls the GenerateCredentialReport API to generate the credential report.

  • Configure the function to use GetCredentialReport API to download the report.

  • Parse the CSV file and check the keys with a user_creation_time of more than 90 days.

  • Disable the old access keys using the UpdateAccessKey API.