Disable or remove any unused Amazon IAM user credentials such as access keys and passwords in order to protect your AWS resources against unapproved access. AWS IAM user credentials are considered unused when these are not being used for a specified period of time – in this case 90 days or more.
This rule can help you with the following compliance standards:
- CISAWSF
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Disabling or removing unused AWS IAM user credentials can significantly reduce the risk of unauthorized access to your AWS cloud resources. Ideally, you will want to restrict access for IAM users who leave your organization or for applications and tools that are no longer using these credentials.
Audit
To determine if there are any IAM users with unused credentials available in your AWS account, perform the following actions:
Remediation / Resolution
Case A: To remove any unused (non-operational for 90 days or more) IAM user access keys, perform the following actions:
Remediation / Resolution
Case B: To decommission unused AWS IAM user passwords, perform the following actions:
References
- AWS Documentation
- AWS IAM FAQs
- Best Practices for Managing AWS Access Keys
- Managing Access Keys for IAM Users
- Finding Unused Credentials
- IAM Users
- Managing IAM Users
- Managing Passwords
- Getting Credential Reports for Your AWS Account
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- iam
- get-credential-report
- delete-access-key
- delete-login-profile