AWS-007 Amazon Web Services (AWS)

Active access keys are rotated at least every 90 days.

Active access keys are rotated at least every 90 days.

Domain
Amazon Web Services (AWS)
Area
IAM
Automated / manual
Automated

Risk if it fails

Stale keys that linger are more likely to be leaked and reused.

Old keys often end up in code, laptops and chat logs. An attacker who finds a years-old key can still use it because it was never retired.

How Tess tests it

1 test — each concludes only on cited evidence.

Active access keys are rotated at least every 90 days.

Automated
Procedure
Parse the credential report key rotation dates; flag keys older than 90 days.

Read-only command 

aws iam get-credential-report --query 'Content' --output text | base64 -d | awk -F, '{print $1,$9,$10,$14,$15}'

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-007 against your evidence?

Book a demo