IAM User Has Too Many Access Keys

Query id: 3561130e-9c5f-485b-9e16-2764c82763e5
Query name: IAM User Has Too Many Access Keys
Platform: Terraform
Severity: Medium
Category: Insecure Configurations
URL: Github

Description¶

Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

resource "aws_iam_access_key" "positive1" {
  user    = aws_iam_user.lb.name
  pgp_key = "keybase:some_person_that_exists"
}

resource "aws_iam_access_key" "positive2" {
  user    = aws_iam_user.lb.name
  pgp_key = "keybase:some_person_that_exists"
}


resource "aws_iam_user" "lb" {
  name = "loadbalancer"
  path = "/system/"
}

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "aws_iam_user" "userExample" {
  name = "loadbalancer"
  path = "/system/"

  tags = {
    tag-key = "tag-value"
  }
}

resource "aws_iam_access_key" "negative1" {
  user    = aws_iam_user.userExample.name
  pgp_key = "keybase:some_person_that_exists"
}