🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: Ensure IAM users with console access unused for 45 days or greater are disabled

Description

AWS IAM users can access AWS resources using console access. It is recommended that console access that have been unused in 45 or greater days be deactivated or removed.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_user_console_access_unused_45

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_user_console_access_unused_45 --share

SQL

This control uses a named query:

select
  user_arn as resource,
  case
    when not password_enabled then 'ok'
    when password_enabled and password_last_used is null then 'alarm'
    when password_enabled and password_last_used < (current_date - interval '45' day) then 'alarm'
    else 'ok'
  end status,
  user_name ||
    case
      when not password_enabled then ' password not enabled.'
      when password_enabled and password_last_used is null then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used.'
      else ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || '.'
    end as reason
  , account_id
from
  aws_iam_credential_report;

Tags

category = Compliance
plugin = aws
service = AWS/IAM