Single active access key per user
Description
Each IAM user has at most one active access key.
⚠️ Risk Impact
Multiple active keys per user complicate rotation + audit. Forgotten 'backup' keys often become breach entry points.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
Audit users with >1 active key. Rotate to single key; delete old. Automate detection.
💀 Real-World Attack Scenario
A developer had 3 IAM access keys 'for different environments'. Key #2 was committed to a public repo 8 months ago + never rotated. Discovered via researcher scan; $400K impact.
💰 Cost of Non-Compliance
Forgotten-key breaches: avg $400K-$2M.
📋 Audit Questions
- 1.Users with >1 active key?
- 2.Justification?
- 3.Rotation cadence per key?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Multiple keys 'for convenience'
- ⛔Keys committed to repos
- ⛔Rotation that misses some of the keys
📈 Business Value
Single-key-per-user simplifies rotation + reduces forgotten-key risk.
⏱️ Effort Estimate
30 minutes per audit
EchelonGraph audits keys-per-user continuously
🔗 Cross-Framework References
Automate CIS AWS 1.13 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →