Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused IAM User

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-029

Identify and remove any unused AWS IAM users, which are not designed for API access, as an extra security measure for protecting your AWS resources against unapproved access.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Removing unused IAM users can reduce the risk of unauthorized access to your AWS resources and help you manage the user-based access to the AWS Management Console more efficiently.


Audit

To identify any IAM users that have never been logged in, currently available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 In the Access Keys section, check for any IAM access keys assigned to the selected user. If one or more access key pairs are currently attached, e.g.

check for any IAM access keys assigned to the selected user. If one or more access key pairs are currently attached

the user is used for AWS API access and the audit process for the selected user stops here, otherwise, continue with the next step.

07 Inside the Sign-In Credentials section, check the Last Used attribute value to determine the user password last used date. If the current value is set to Never:

check the Last Used attribute value to determine the user password last used date. If the current value is set to Never

the selected IAM user has never been logged in, therefore was not unused and can be safely removed.

08 Repeat steps no. 4 – 7 for each IAM user available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users currently available within your account:

aws iam list-users

02 The command output should return the necessary metadata for each IAM user available. The IAM user(s) that have never been logged in using a password should not return the PasswordLastUsed attribute:

{
    "Users": [
        {
            "UserName": "Dave",
            "Path": "/",
            "CreateDate": "2015-05-21T14:01:39Z",
            "UserId": "AAAABBBBCCCCDDDDEEEE",
            "Arn": "arn:aws:iam::123456789012:user/Dave"
        },
        ...
        {
            "UserName": "John",
            "CreateDate": "2016-06-15T12:10:55Z",
            "UserId": "AAAABBBBCCCCDDDDEEEE",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:user/John"
        }
    ]
}

03 Run list-access-keys command (OSX/Linux/UNIX) using an IAM user name (user without a value set for PasswordLastUsed attribute) returned at the previous step to determine if the selected user has any access keys assigned:

aws iam list-access-keys
	--user-name Dave

04 The command output should expose the metadata for each access key created for the selected IAM user (if any):

{
    "AccessKeyMetadata": []
}

If the AccessKeyMetadata attribute returns an empty array as its value (as shown in the output example above), the selected IAM user is not used for API access. If there is no metadata returned for PasswordLastUsed and AccessKeyMetadata attributes, the selected IAM user was not used for AWS console and API access and can be safely removed.

05 Repeat steps no. 3 and 4 for any IAM users that are not returning the PasswordLastUsed attribute.

Remediation / Resolution

To remove any unused IAM users from your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Select the IAM user that you want to remove (see Audit to identify the necessary IAM user(s)),

05 Click on the User Actions dropdown button from the dashboard top menu and select Delete User.

06 In the Delete User dialog box, review the user data and click Yes, Delete to confirm the action.

07 Repeat steps no. 4 – 6 to remove any other unused IAM users available in your AWS account.

Using AWS CLI

01 Run delete-user command (OSX/Linux/UNIX) to remove a specified IAM user. See the Audit section part II (AWS CLI) to identify any unused IAM users. The following command example deletes an IAM user named Dave (if successful, the command does not produce an output):

aws iam delete-user
	--user-name Dave

02 Repeat step no. 1 for each unused IAM user available in your AWS account.

References

Publication date Jun 23, 2016