Access keys rotated within 90 days
Description
All IAM access keys rotated at least every 90 days.
⚠️ Risk Impact
Static long-lived credentials accumulate exposure. 90-day rotation limits damage from any leak.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Workload Identity Federation (replace static keys with short-lived OIDC tokens). For required static keys: automated rotation.
💀 Real-World Attack Scenario
An AWS access key was committed to GitHub in 2021 + never rotated. In 2024, automated repo scanners found it + abused for cryptomining. The key had been valid for 3 years; $87K compute fraud.
💰 Cost of Non-Compliance
Long-lived static keys: avg $400K per incident.
📋 Audit Questions
- 1.Maximum key age?
- 2.Rotation automation?
- 3.Workload Identity Federation in use?
🎯 MITRE ATT&CK Mapping
🏗️ Infrastructure as Code Fix
# Replace static keys with IRSA (IAM Roles for Service Accounts):
resource "aws_iam_role" "app" {
assume_role_policy = data.aws_iam_policy_document.irsa_assume.json
}
data "aws_iam_policy_document" "irsa_assume" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = ["arn:aws:iam::ACCOUNT:oidc-provider/oidc.eks.REGION.amazonaws.com/id/CLUSTER"]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
}
}⚡ Common Pitfalls
- ⛔Manual rotation skipped
- ⛔Static keys in CI/CD where federation would work
- ⛔Keys in version control even private repos
📈 Business Value
Federation eliminates 95%+ of static-key risk.
⏱️ Effort Estimate
Per-workload federation migration
EchelonGraph identifies keys >90 days + workloads still using static keys
🔗 Cross-Framework References
Automate CIS AWS 1.14 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →