IAM Access Key Is Exposed

  • Query id: 7f79f858-fbe8-4186-8a2c-dfd0d958a40f
  • Query name: IAM Access Key Is Exposed
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Check if IAM Access Key is active for some user besides 'root'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create two new IAM users with API keys
  community.aws.iam:
    iam_type: user
    name: "{{ item }}"
    state: present
    password: "{{ temp_pass }}"
    access_key_state: active
  loop:
    - jcleese
    - mpython
- name: Create two new IAM users with API keys
  community.aws.iam:
    iam_type: user
    name: "{{ item }}"
    state: present
    password: "{{ temp_pass }}"
    access_key_state: active
  loop:
    - root
    - mpython
- name: Create Two Groups, Mario and Luigi
  community.aws.iam:
    iam_type: group
    name: "{{ item }}"
    state: present
    access_key_state: active
  loop:
    - Mario
    - Luigi
  register: new_groups
- name: Update user
  community.aws.iam:
    iam_type: user
    name: jdavila
    state: update
    access_key_state: active
    groups: "{{ item.created_group.group_name }}"
  loop: "{{ new_groups.results }}"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
# Basic user creation example
- name: Create two new IAM users with API keys
  community.aws.iam:
    iam_type: user
    name: '{{ item }}'
    state: present
    password: '{{ temp_pass }}'
    access_key_state: create
  loop:
  - jcleese
  - mpython

# Basic user creation example
- name: Create two new IAM users with API keys
  community.aws.iam:
    iam_type: user
    name: root
    state: present
    password: '{{ temp_pass }}'
    access_key_state: active

- name: Create Two Groups, Mario and Luigi
  community.aws.iam:
    iam_type: group
    name: '{{ item }}'
    state: present
  loop:
  - Mario
  - Luigi
  register: new_groups

- name: Update user
  community.aws.iam:
    iam_type: user
    name: jdavila
    state: update
    access_key_state: inactive
    groups: '{{ item.created_group.group_name }}'
  loop: '{{ new_groups.results }}'