Control: 1.12 Ensure credentials unused for 45 days or more are disabled
Description
AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
Remediation
From Console:
Perform the following to manage Unused Password (IAM user console access)
- Login to the AWS Management Console:
- Click
Services
. - Click
IAM
. - Click on
Users
. - Click on
Security Credentials
. - Select user whose
Console last sign-in
is greater than 45 days. - Click
Security credentials
. - In section
Sign-incredentials
,Console password
clickManage
. - Under Console Access select
Disable
. - Click
Apply
Perform the following to deactivate Access Keys:
- Login to the AWS Management Console:
- Click
Services
. - Click
IAM
. - Click on
Users
. - Click on
Security Credentials
. - Select any access keys that are over 45 days old and that have been used and
- Click on
Make inactive
.
- Select any access keys that are over 45 days old and that have not been used and
- Click the X to
Delete
.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v400_1_12
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v400_1_12 --share
SQL
This control uses a named query:
iam_user_unused_credentials_45