Known compromised IAM users should not be present in the account

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Description

Ensure that no known compromised IAM users are present in your AWS account. When AWS identifies compromised AWS IAM user credentials, it attaches the managed policy AWSCompromisedKeyQuarantineV2 that blocks commonly abused actions, and typically opens a support case. When this happens, it’s important to make sure that the user is removed, or its credentials are disabled.

Note: This rule only triggers if the IAM user has active programmatic credentials.

Remediation

Follow the Rotating access keys AWS documentation to disable the compromised access key, and create a new one. You can also follow the AWS incident response playbook and the AWS incident response guide to assess the impact of the compromised credentials.