Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Credentials Last Used

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-003

Disable or remove any unused Amazon IAM user credentials such as access keys and passwords in order to protect your AWS resources against unapproved access. AWS IAM user credentials are considered unused when these are not being used for a specified period of time – in this case 90 days or more.

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Disabling or removing unused AWS IAM user credentials can significantly reduce the risk of unauthorized access to your AWS cloud resources. Ideally, you will want to restrict access for IAM users who leave your organization or for applications and tools that are no longer using these credentials.


Audit

To determine if there are any IAM users with unused credentials available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Credential report.

04 On the Credential report page, click Download Report to download the IAM report that lists all your account's users and the status of their various credentials.

05 Open the downloaded file (i.e. status_reports_<download_date>.csv) in your preferred CSV file editor and check the following details, based on the credentials type:

  1. For IAM user passwords, identify each user with the password_enabled set to TRUE and check the password_last_used attribute value. If password_last_used value is set to N/A (not applicable), verify the password_last_changed attribute value, otherwise check the password_last_used value. Based on the verified values (i.e. human readable dates), you can determine when was the last time the selected IAM users used their passwords. If one or more user passwords are older than 90 days, these are considered unused credentials and are most likely associated with a compromised or abandoned IAM user account, therefore these passwords should be deactivated.
  2. For IAM user access keys, identify each user with the access_key_1_active or access_key_2_active set to TRUE and check the access_key_x_last_used_date attribute value – where x is 1 or 2. If access_key_x_last_used_date value is set to N/A, verify the access_key_x_last_rotated attribute value, otherwise check the access_key_x_last_used_date value. Based on these values, you can determine when was the last time the verified IAM users used their access keys. If one or more access key sets are older than 90 days, the keys are considered unused and are most likely associated with a compromised or abandoned IAM user account, therefore these credentials should be decommissioned.

06 Repeat steps no. 1 – 5 for each AWS account that you want to examine for unused IAM user credentials.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for the AWS account that you want to examine. A credential report is a CSV document that lists all users (root and IAM users) available in your AWS account and the current status of their credentials:

aws iam get-credential-report

02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme, e.g.:

{
    "Content": "abcd1234abcd1234abcd1234 ... abcd1234abcd1234abcd1234=",
    "GeneratedTime": "2019-04-04T11:21:00Z",
    "ReportFormat": "text/csv"
}

03 Decode the content of the IAM credential report from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named aws-iam-credentials-report.csv:

echo -n abcd1234abcd1234abcd1234 ... abcd1234abcd1234abcd1234= | base64 –d >> aws-iam-credentials-report.csv

04 Open aws-iam-credentials-report.csv document in your favorite file editor and check the following information, based on the credentials type (passwords or access keys):

  1. For IAM user passwords, identify each user with the password_enabled set to TRUE and check the password_last_used attribute value. If password_last_used value is set to N/A (not applicable), verify the password_last_changed attribute value, otherwise check the password_last_used value. Based on the verified values (i.e. human readable dates) you can determine when was the last time the selected IAM users used their passwords. If one or more user passwords are older than 90 days, these are considered unused credentials and are most likely associated with a compromised or abandoned IAM user account, therefore these passwords should be deactivated.
  2. For IAM user access keys, identify each user with the access_key_1_active or access_key_2_active set to TRUE and check the access_key_x_last_used_date attribute value – where x is 1 or 2 and represents the keys set number. If access_key_x_last_used_date value is set to N/A, verify the access_key_x_last_rotated attribute value, otherwise check the access_key_x_last_used_date value. Based on these values, you can determine when was the last time the verified IAM users utilized their access keys. If one or more access key sets are older than 90 days, these are considered unused and are most likely associated with a compromised or abandoned IAM user account, therefore these credentials should be decommissioned.

05 Repeat steps no. 1 – 4 for each Amazon Web Services account that you want to examine for unused IAM user credentials.

Remediation / Resolution

Case A: To remove any unused (non-operational for 90 days or more) IAM user access keys, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to reconfigure.

05 On the IAM user configuration page, select Security Credentials tab.

06 In Access Keys section, find the unused active access keys (see Audit section part I to identify the right credentials) and remove them by clicking the x (delete) button next to the Status column.

07 In the Delete Access Key confirmation box, click Delete to remove the selected credentials.

08 Repeat step no. 6 and 7 for other unused access keys associated with the selected IAM user.

09 Repeat steps no. 4 – 8 for each IAM user that holds unused access keys, available in your AWS account.

Using AWS CLI

01 Run delete-access-key command (OSX/Linux/UNIX) to remove the unused active access key pair (see Audit section part II to identify the right credentials) for the selected IAM user. The following command example removes the access keys with the access key ID set to ABCD1234ABCD1234ABCD, for an IAM user named David (if successful, the command does not produce an output):

aws iam delete-access-key
	--access-key ABCD1234ABCD1234ABCD
	--user-name David

02 Repeat step no. 1 for other unused access keys associated with the selected IAM user.

03 Repeat step no. 1 and 2 for each IAM user that has unused access keys, available in your AWS account.

Remediation / Resolution

Case B: To decommission unused AWS IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to reconfigure.

05 On the IAM user configuration page, select Security Credentials tab.

06 Within Sign-in credentials section, click on the Manage link next to Console password setting to access the console access management settings for the user.

07 In the Manage console access dialog box, click Disable next to Console access to remove the password associated with the selected IAM user and deactivate its access to the AWS Management Console. Click Apply to confirm the changes.

08 Repeat steps no. 4 – 7 for each IAM user that has unused passwords associated, available in your AWS account.

Using AWS CLI

01 Run delete-login-profile command (OSX/Linux/UNIX) to remove the unused password (see Audit section part II to identify the right password) for the selected AWS IAM user. This terminates the user's ability to access AWS cloud services and resources through the AWS Management Console. The following command example deletes the login profile for an IAM user named David (the command does not produce an output):

aws iam delete-login-profile
	--user-name David

02 Repeat steps no. 1 for each IAM user that has unused passwords attached, available in your AWS account.

References

Publication date Apr 5, 2019