Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

The Forgotten Access Key

Max room.

An IAM user has long-lived, unrotated access keys. See how to identify, remediate, and prevent this security misconfiguration.

medium

45 min

1

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

An engineer creates an access key to run a deployment script. The script works, the project is deployed, and the key is forgotten, still active, never rotated, saved in a config file somewhere.

If the key is leaked, an attacker would have persistent, long-lived access to the environment.

This is one of the most common credential hygiene misconfigurations in .

Learning Objectives

  • Learn how to use the credentials report to audit access keys
  • Identify stale or unused access keys
  • Rotate access keys, deactivate, and delete obsolete keys
  • Enable and enforce on users
  • Understand why and how to use temporary credentials

Prerequisites

Answer the questions below

Remember, remember! The forgotten key, treason and plot.