Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureAuto Checks Integration Guide for AzureAuto Checks Integration Guide for GCP
AWS Auto Checks Detailed Explanations
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Detect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Framework Reference: A.5.17 (Authentication Information) Integration: AWS – IAM

Why this matters

Access keys are long-term credentials used for programmatic access via AWS CLI, SDKs, or APIs. If IAM users have multiple active access keys:

It becomes harder to track which key is in use

Unused keys may be forgotten and remain vulnerable

Key rotation hygiene suffers, increasing the risk of credential leaks

To reduce the attack surface and improve credential management, each IAM user should have only one active key at a time—and that key should be rotated regularly.

What this check does

This Auto Check evaluates all IAM users and verifies:

Whether they have more than one active access key

Whether the active key is older than 90 days

Whether key rotation is enforced

The check fails if a user has multiple active keys or an active key older than 90 days.

How to fix it

Deactivate redundant or outdated access keys and enforce rotation practices.

From the AWS Console

Sign in to the IAM Console.

Navigate to Users and select a specific IAM user.

Under the Security Credentials tab, locate the Access Keys section.

Ensure only one key is active and that it's less than 90 days old.

Click Make Inactive next to any additional or old keys.

Confirm the action when prompted.

Repeat this for all IAM users in your account.

Using AWS CLI

# Deactivate an old or unused key aws iam update-access-key --user-name <user_name> --access-key-id <access_key_id> --status Inactive # Verify key status aws iam list-access-keys --user-name <user_name>

Exceptions

For automation scenarios where key rotation is managed externally or where dual keys are temporarily required:

Document the use case and expiration timeline

Set up CloudWatch alarms or IAM Access Analyzer to track key age

Ensure programmatic rotation workflows deactivate old keys automatically

Further Resources

AWS Access Keys Best Practices

Managing IAM Access Keys

IAM CLI Reference – update-access-key

Was this article helpful?

Powered by Product Fruits