# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|AWS|AWS Config|AWS Config|Check if access key rotated periodically|
|AWS|AWS Security Hub|AWS|AccessKey Rotated every 90 days or less|

```
Purpose: The purpose of AWS Access Key rotation rule is to enhance security by regularly replacing access keys used for programmatic access to AWS resources. Rotating keys reduces the risk of unauthorized access due to compromised or leaked credentials. It ensures that access keys are regularly refreshed, minimizing the window of vulnerability.
```
```
RecomendedEvidenceName: AccessKeysRotated
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
# AWS Example
  [
      {
        "Action": null,
        "AwsAccountId": "022654265366",
        "CompanyName": "AWS",
        "Compliance": {
          "AssociatedStandards": [
            {
              "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
            }
          ],
          "RelatedRequirements": null,
          "SecurityControlId": "IAM.3",
          "Status": "FAILED",
          "StatusReasons": null
        },
        "Confidence": null,
        "CreatedAt": "2023-12-11T00:56:35.443Z",
        "Criticality": null,
        "Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. It is recommended that all access keys be regularly rotated.",
        "FindingProviderFields": {
          "Confidence": null,
          "Criticality": null,
          "RelatedFindings": null,
          "Severity": {
            "Label": "MEDIUM",
            "Original": "MEDIUM"
          },
          "Types": [
            "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
          ]
        },
        "FirstObservedAt": "2023-12-11T00:56:35.443Z",
        "GeneratorDetails": null,
        "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.4",
        "Id": "arn:aws:securityhub:us-east-1:022654265366:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.4/finding/ebfcbcb5-5daa-47c5-9dfb-bd38f85353e0",
        "LastObservedAt": "2023-12-28T00:55:33.927Z",
        "Malware": null,
        "Network": null,
        "NetworkPath": null,
        "Note": null,
        "PatchSummary": null,
        "Process": null,
        "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
        "ProductFields": {
          "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.3/remediation",
          "RelatedAWSResources:0/name": "securityhub-access-keys-rotated-3c0893e3",
          "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
          "Resources:0/Id": "arn:aws:iam::022654265366:user/test-user-one",
          "RuleId": "1.4",
          "StandardsControlArn": "arn:aws:securityhub:us-east-1:022654265366:control/cis-aws-foundations-benchmark/v/1.2.0/1.4",
          "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
          "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:022654265366:subscription/cis-aws-foundations-benchmark/v/1.2.0",
          "aws/securityhub/CompanyName": "AWS",
          "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:022654265366:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.4/finding/ebfcbcb5-5daa-47c5-9dfb-bd38f85353e0",
          "aws/securityhub/ProductName": "Security Hub"
        },
        "ProductName": "Security Hub",
        "RecordState": "ACTIVE",
        "Region": "us-east-1",
        "RelatedFindings": null,
        "Remediation": {
          "Recommendation": {
            "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
            "Url": "https://docs.aws.amazon.com/console/securityhub/IAM.3/remediation"
          }
        },
        "Resources": [
          {
            "DataClassification": null,
            "Details": {
              "AwsAmazonMqBroker": null,
              "AwsApiGatewayRestApi": null,
              "AwsApiGatewayStage": null,
              "AwsApiGatewayV2Api": null,
              "AwsApiGatewayV2Stage": null,
              "AwsAppSyncGraphQlApi": null,
              "AwsAthenaWorkGroup": null,
              "AwsAutoScalingAutoScalingGroup": null,
              "AwsAutoScalingLaunchConfiguration": null,
              "AwsBackupBackupPlan": null,
              "AwsBackupBackupVault": null,
              "AwsBackupRecoveryPoint": null,
              "AwsCertificateManagerCertificate": null,
              "AwsCloudFormationStack": null,
              "AwsCloudFrontDistribution": null,
              "AwsCloudTrailTrail": null,
              "AwsCloudWatchAlarm": null,
              "AwsCodeBuildProject": null,
              "AwsDmsEndpoint": null,
              "AwsDmsReplicationInstance": null,
              "AwsDmsReplicationTask": null,
              "AwsDynamoDbTable": null,
              "AwsEc2Eip": null,
              "AwsEc2Instance": null,
              "AwsEc2LaunchTemplate": null,
              "AwsEc2NetworkAcl": null,
              "AwsEc2NetworkInterface": null,
              "AwsEc2RouteTable": null,
              "AwsEc2SecurityGroup": null,
              "AwsEc2Subnet": null,
              "AwsEc2TransitGateway": null,
              "AwsEc2Volume": null,
              "AwsEc2Vpc": null,
              "AwsEc2VpcEndpointService": null,
              "AwsEc2VpcPeeringConnection": null,
              "AwsEc2VpnConnection": null,
              "AwsEcrContainerImage": null,
              "AwsEcrRepository": null,
              "AwsEcsCluster": null,
              "AwsEcsContainer": null,
              "AwsEcsService": null,
              "AwsEcsTask": null,
              "AwsEcsTaskDefinition": null,
              "AwsEfsAccessPoint": null,
              "AwsEksCluster": null,
              "AwsElasticBeanstalkEnvironment": null,
              "AwsElasticsearchDomain": null,
              "AwsElbLoadBalancer": null,
              "AwsElbv2LoadBalancer": null,
              "AwsEventSchemasRegistry": null,
              "AwsEventsEndpoint": null,
              "AwsEventsEventbus": null,
              "AwsGuardDutyDetector": null,
              "AwsIamAccessKey": null,
              "AwsIamGroup": null,
              "AwsIamPolicy": null,
              "AwsIamRole": null,
              "AwsIamUser": {
                "AttachedManagedPolicies": null,
                "CreateDate": "2023-08-28T12:58:50.000Z",
                "GroupList": [
                  "Force_MFA",
                  "ContinubeReadOnly"
                ],
                "Path": "/",
                "PermissionsBoundary": null,
                "UserId": "ALKFGDTVBVEHVZBV5",
                "UserName": "test-user-one",
                "UserPolicyList": null
              },
              "AwsKinesisStream": null,
              "AwsKmsKey": null,
              "AwsLambdaFunction": null,
              "AwsLambdaLayerVersion": null,
              "AwsMskCluster": null,
              "AwsNetworkFirewallFirewall": null,
              "AwsNetworkFirewallFirewallPolicy": null,
              "AwsNetworkFirewallRuleGroup": null,
              "AwsOpenSearchServiceDomain": null,
              "AwsRdsDbCluster": null,
              "AwsRdsDbClusterSnapshot": null,
              "AwsRdsDbInstance": null,
              "AwsRdsDbSecurityGroup": null,
              "AwsRdsDbSnapshot": null,
              "AwsRdsEventSubscription": null,
              "AwsRedshiftCluster": null,
              "AwsRoute53HostedZone": null,
              "AwsS3AccountPublicAccessBlock": null,
              "AwsS3Bucket": null,
              "AwsS3Object": null,
              "AwsSageMakerNotebookInstance": null,
              "AwsSecretsManagerSecret": null,
              "AwsSnsTopic": null,
              "AwsSqsQueue": null,
              "AwsSsmPatchCompliance": null,
              "AwsStepFunctionStateMachine": null,
              "AwsWafRateBasedRule": null,
              "AwsWafRegionalRateBasedRule": null,
              "AwsWafRegionalRule": null,
              "AwsWafRegionalRuleGroup": null,
              "AwsWafRegionalWebAcl": null,
              "AwsWafRule": null,
              "AwsWafRuleGroup": null,
              "AwsWafWebAcl": null,
              "AwsWafv2RuleGroup": null,
              "AwsWafv2WebAcl": null,
              "AwsXrayEncryptionConfig": null,
              "Container": null,
              "Other": null
            },
            "Id": "arn:aws:iam::022654265366:user/test-user-one",
            "Partition": "aws",
            "Region": "us-east-1",
            "ResourceRole": null,
            "Tags": null,
            "Type": "AwsIamUser"
          }
        ],
        "Sample": null,
        "SchemaVersion": "2018-10-08",
        "Severity": {
          "Label": "MEDIUM",
          "Normalized": 40,
          "Original": "MEDIUM",
          "Product": 40
        },
        "SourceUrl": null,
        "ThreatIntelIndicators": null,
        "Threats": null,
        "Title": "1.4 Ensure access keys are rotated every 90 days or less",
        "Types": [
          "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
        ],
        "UpdatedAt": "2023-12-28T00:55:24.749Z",
        "UserDefinedFields": null,
        "VerificationState": null,
        "Vulnerabilities": null,
        "Workflow": {
          "Status": "NEW"
        },
        "WorkflowState": "NEW"
      }
  ]

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System":"aws",
    "Source":"compliancecow",

    # Resource info
    "ResourceID":"arn:aws:iam::022654265366:user/test-user-one",
    "ResourceName":"AccessKey1",
    "ResourceType":"AwsIamUser",
    "ResourceLocation":"global",
    "ResourceTags": null,

    # Data
    "AccessKeyActive": "true",
    "AccessKeyLastRotated": "2023-03-24T13:11:23+00:00",
    "AccessKeyAge": 273,
    "AccesskeyLastUsedDate": "2023-12-20T13:34:00+00:00",

    # Compliance details
    "ValidationStatusCode":"ACCESS_KEY_NOT_ROTATED_WITHIN_TIME_PERIOD",
    "ValidationStatusNotes":"The access key has not been rotated",
    "ComplianceStatus":"NON_COMPLIANT",
		"ComplianceStatusReason":"Record is not compliant as the access key was not rotated properly",
		"EvaluatedTime":"2023-12-22T07:03:37.417Z",

    # User editable data
     "UserAction":"",

    # Action editable data
     "ActionStatus":"",
     "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|AccessKeyActive|AccessKeyLastRotated|AccessKeyAge|AccesskeyLastUsedDate|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-one|AccessKey1|AwsIamUser|global||true|2023-03-24T13:11:23+00:00|273|2023-12-20T13:34:00+00:00|ACCESS_KEY_NOT_ROTATED_WITHIN_TIME_PERIOD|The access key has not been rotated|NON_COMPLIANT|Record is not compliant as the access key was not rotated properly|2023-12-22T07:03:37.417Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-two|AccessKey1|AwsIamUser|global||true|2023-11-16T05:00:21+00:00|36|2023-11-17T07:31:00+00:00|ACCESS_KEY_ROTATED_WITHIN_TIME_PERIOD|The access key is rotated|COMPLIANT|Record is compliant as the access key was rotated properly|2023-12-22T07:03:37.417Z|
|aws|compliancecow|arn:aws:iam::022654265366:user/test-user-three|AccessKey2|AwsIamUser|global||true|2023-12-18T07:59:42+00:00|4|2023-12-18T08:12:00+00:00|ACCESS_KEY_ROTATED_WITHIN_TIME_PERIOD|The access key is rotated|COMPLIANT|Record is compliant as the access key was rotated properly|2023-12-22T07:03:37.417Z|

# Step 4: Describe the Compliance Taxonomy

|AccessKeyAge|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|---|
|< MaxAccessKeyAge|ACCESS_KEY_ROTATED_WITHIN_TIME_PERIOD|The access key is rotated|COMPLIANT|Record is compliant as the access key was rotated properly|
|> MaxAccessKeyAge|ACCESS_KEY_NOT_ROTATED_WITHIN_TIME_PERIOD|The access key has not been rotated|NON_COMPLIANT|Record is not compliant as the access key was not rotated properly|

# Step 5: Calculation for Compliance Percentage and Status


In [None]:
# Calculation of Compliance Percentage
CompliancePCT = (100 - (Count of 'NON_COMPLIANT' records * 100) / Total records)

# Compliance Status
#COMPLIANT - 100%
#NON_COMPLIANT - 0%<=status<100%
#NOT_DETERMINED - If no records are found in the account

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

Remediation notes:
Address non-compliance with the AWS Access Key Rotation Policy by rotating the identified access key << KeyName >>

Steps:

1. Log in to the AWS Management Console.
2. Navigate to IAM and select the user or role associated with the identified access key.
3. Generate a new access key and disable or delete the old one.

Refer the doc for more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

# 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | AWSAccessKeyRotationReport    |
| **PreRequisiteRuleNames**  | AWSCredentialReport           |
| **ExtendedSchemaRuleNames**| AWSCredentialReport           |
| **ApplicationClassName**   | AWSAppConnector               |
| **PostSynthesizerName**    | linkrecords                   |