Skip to content

Automating Deactivation of Inactive AWS Access Keys #915

Description

@halbfin

Motivation
Is mainly security and an easy was todeactivate AWS access keys that have not been used for a period.
The AWS best practice is 90d inactivity.

Describe the solution you'd like
Suggesting to add a policy - here is a link to a script that I found on the internet that deactivates the inactive keys.
https://www.nicks.io/automating-deactivation-of-inactive-aws-access-keys/
Suggest is to run this at 80d and have the 7d "warning period" - then the deactivation would occur around day 87-90.

As an interim - i would add this in dr-run mode for 60d inactivity to allow more time for users to identify
Then after about a month in dry-run , we should discuss - get OK and move to dry-run = no.

Describe alternatives you've considered
Not clear if when security team is implementing this

Additional context
Adding an additional request (similar) to notify of AWS keys that are > X days old and should be rotated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions