MEDIUM IAM · CIS 1.13

Multiple active access keys

Check ID: aws-iam-009

AWS-IAM-009 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if any IAM user has more than one active access key. Multiple active keys increase the attack surface and make key management harder.

Why it matters

Each active access key is a credential that can be independently compromised. Having two active keys doubles the attack surface and makes it unclear which key is actually in use by which application. During incident response, security teams need to quickly identify and rotate compromised keys, but multiple active keys create confusion about which key was leaked and which services will break when a key is disabled. The recommended key rotation procedure (create new key, update services, deactivate old key) should result in a brief period with two keys, but if the old key is never deactivated, you accumulate forgotten credentials. AWS IAM Access Advisor and CloudTrail can show which key was last used, helping identify the key to deactivate.

Common causes

The standard key rotation procedure creates a second key before deactivating the first, but teams forget to complete the final deactivation step. Different applications owned by different teams may each create their own key for the same IAM user, resulting in parallel active keys. Automated rotation scripts that create new keys but fail to deactivate old ones due to error handling gaps.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Deactivate the older key (keep the newer one):
aws iam update-access-key --user-name USERNAME --access-key-id OLDER_KEY_ID --status Inactive

Remediation: Terraform

# Manage access keys in Terraform to enforce single-key policy:
resource "aws_iam_access_key" "user" {
  user = "username"
}

Compliance mapping

This check maps to CIS 1.13 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks