Avoid Provisioning Access Keys During Initial IAM User Creation When Console Login is Enabled

Framework Reference: A.5.17 (Authentication Information) Integration: AWS – IAM

Why this matters

When new IAM users are created with both programmatic and console access, access keys are often provisioned by default—even if they're not needed immediately. This introduces unnecessary risk because:

Unused access keys may go unnoticed and unmonitored

Credentials could be compromised if stored insecurely

Users may have more access than their actual usage requires

Provisioning access keys should be a deliberate and auditable action, only when truly needed.


What this check does

This Auto Check verifies whether:

IAM users were provisioned with access keys during account creation

These users also have console access via password

The access keys have never been used or are unnecessary based on usage patterns

The check fails if unused or unnecessary access keys are found to be provisioned at user creation time.


How to fix it

Remove access keys that are not in use or were automatically created but not required.

From the AWS Console

Go to the IAM Console.

Select Users, and then go to the Security Credentials tab.

Review access keys for each user.

Identify keys that were:

Created at the time of user creation

Never used or flagged during audit

Click the X (Delete) button next to the key to remove it.

Generate a credential report for auditing

From the IAM Dashboard, choose Credential Report.

Download and review the .csv file for unused keys.

Use it to identify stale or redundant credentials for removal.

Using AWS CLI

# Delete an access key aws iam delete-access-key --user-name <user_name> --access-key-id <access_key_id>


Exceptions

If programmatic access is required:

Require users to explicitly request or generate access keys post-creation

Establish a support or approval process for issuing access keys

Apply tagging or metadata to track why a key was issued and to whom

Encouraging users to provision keys themselves demonstrates intent and aligns with least privilege principles.


Further Resources

AWS CLI – delete-access-key

Create IAM Users – AWS Docs

Managing Access Keys for IAM Users

IAM Credential Reports

Was this article helpful?