One of the most important things in AWS Access Keys. I have seen lot of organizations where users have created lot of keys and the governance team had a tough task in eliminating or reducing the keys., So as a first step it’s important to prevent creation of access key if you are going to do some governance around access key management. Let us see how to do this via an SCP..
Need for locking down Access Keys
Access keys, composed of an access key ID and a secret access key, are long-term credentials. While incredibly useful for scripting and automation, they also represent a significant risk. Unlike temporary credentials provided by IAM roles, static access keys don’t expire and can be a prime target for attackers. A simple mistake, like leaving a key in a public code repository or in the source code, can lead to a catastrophic data breach.
Deny-Based SCP for blocking Key Creation
The SCP works as a preventive guardrail. Our policy uses an explicit “Deny” statement to block all IAM users and roles from creating, deleting, or updating access keys except for the Admin users (Incase if you need to allow certain users to have access to key creation that can be also done through this SCP by adding them under the Roles)
Let’s break down the policy to see how it works under the hood.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllAccessKeyActivitiesForNonAdmins",
"Effect": "Deny",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:UpdateAccessKey"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::<YOUR_ACCOUNT_ID>:user/AdminUser",
"arn:aws:iam::<YOUR_ACCOUNT_ID>:role/OrganizationAccountAccessRole"
]
}
}
}
]
}
"Effect": "Deny": This is the most important part. It explicitly forbids the actions that follow. Deny statements always take precedence over allow statements."Action": Here, we’re targeting the exact IAM permissions we want to block:CreateAccessKey,DeleteAccessKey, andUpdateAccessKey."Condition": This is the magic that makes the policy flexible. TheStringNotEqualscondition ensures the “Deny” effect applies to everyone except for the specified AWS Principal ARNs (Amazon Resource Names). In this case, it’s ourAdminUserand theOrganizationAccountAccessRole.
Implementing this SCP is a proactive step toward a more secure AWS environment. By preventing uncontrolled key management, you drastically reduce your attack surface and enforce a critical security best practice. Though this is a simple change, this SCP should be attached to all the accounts and not just a certain accounts. If some team asks for exception to this policy they should provide proper business justification. Just implementing this policy only for certain accounts would do no good for reducing the attack surface of AWS Access Keys