Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Inactive IAM Console User

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-028

Identify any inactive IAM users, which are not designed for API access, and disable their access as an extra security measure for protecting your AWS resources against unauthorized access. An IAM user is marked as inactive when is not being used for a specified period of time. By default, Cloud Conformity sets a threshold value of 90 for the number of idle days, however, you have the capability to adjust anytime this threshold based on your requirements.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Disabling access for inactive IAM users can reduce the risk of unauthorized access to your AWS resources and help you manage the user-based access more efficiently.


Audit

To identify any IAM users that have not been logged into AWS account for more than 90 days, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 In the Access Keys section, check for any IAM access keys assigned to the selected user. If one or more access key pairs are currently attached, e.g.

check for any IAM access keys assigned to the selected user. If one or more access key pairs are currently attached

the user is used for AWS API access and the audit process for the selected user stops here, otherwise, continue with the next step.

07 Inside the Sign-In Credentials section, check for the user Last Used attribute value to determine its password last used date. If the timestamp displayed is older than 90 days, e.g.

check for the user Last Used attribute value to determine its password last used date. If the timestamp displayed is older than 90 days

the selected IAM user is rendered as inactive, therefore its access to the AWS resources can be safely disabled.

08 Repeat steps no. 4 – 7 for each IAM user available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users currently available within your account:

aws iam list-users

02 The command output should return the predefined metadata for each IAM user available. The PasswordLastUsed attribute should return as value the date when the user(s) password was last used:

{
    "Users": [
        {
            "UserName": "Dave",
            "PasswordLastUsed": "2015-02-15T12:08:33Z",
            "CreateDate": "2014-09-27T10:53:55Z",
            "UserId": "AAAABBBBCCCCDDDDEEEE",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:user/Dave"
        },
        ...
        {
            "UserName": "Andrew",
            "PasswordLastUsed": "2015-06-22T12:05:33Z",
            "CreateDate": "2015-06-16T10:59:55Z",
            "UserId": "AAAABBBBCCCCDDDDEEEE",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:user/Andrew"
        }
    ]
}

03 Run list-access-keys command (OSX/Linux/UNIX) using an IAM user name returned at the previous step to determine if the selected user has any access keys assigned:

aws iam list-access-keys
	--user-name Dave

04 The command output should expose the metadata for each access key created for the selected IAM user. If the AccessKeyMetadata attribute returns an empty array as its value (as shown in the output example below), the selected IAM user is not used for API access:

{
    "AccessKeyMetadata": []
}

If the two conditions are met: PasswordLastUsed attribute timestamp is older than 90 days and AccessKeyMetadata attribute value is empty (i.e. [ ]), the selected IAM user is rendered as inactive, therefore its access to the AWS resources can be safely disabled.

05 Repeat steps no. 1 – 4 to identify any other inactive IAM users available within your AWS account.

Remediation / Resolution

To disable the password-based access for any inactive IAM users and terminate their ability to access AWS resources through the Management Console, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the inactive IAM user name to access the user configuration page.

05 Inside the Sign-In Credentials section, click Manage Password to access the user password management page.

06 On the Manage Password page, select Remove existing password to disable password-based access for the selected user.

07 Click Apply to submit the changes. The IAM user access to the AWS resources is now disabled.

08 Repeat steps no. 4 – 7 to disable/block access for other inactive IAM users available in your AWS account.

Using AWS CLI

01 Run delete-login-profile command (OSX/Linux/UNIX) to remove the password for the specified IAM user. See the Audit section part II (AWS CLI) to identify any inactive IAM users. The following command example deletes the login profile (password) from an IAM user with the name Dave (if the command succeeds, no output is returned):

aws iam delete-login-profile
	--user-name Dave

02 Repeat step no. 1 for each inactive IAM user available in your AWS account.

References

Publication date Jun 23, 2016