Credentials should be deactivated or removed if unused for 45 days

iam
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have not been used in 45 or more days be deactivated or removed.

Rationale

Disabling or removing unneeded credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Remediation

From the console

Perform the following to manage unused passwords (IAM user console access).

  1. Log into the AWS Management Console.
  2. Click Services and select IAM.
  3. Click on Users and select Security Credentials.
  4. Select the user whose Console last sign-in is greater than 45 days.
  5. Click Security credentials.
  6. In the Sign-in credentials, Console password section, click Manage.
  7. Under Console Access, select Disable, then click Apply.

Perform the following to deactivate Access Keys:

  1. Log into the AWS Management Console.
  2. Click Services and select IAM.
  3. Click on Users and select Security Credentials.
  4. Select any access keys that are over 45 days old and that have been used and click Make Inactive.
  5. Select any access keys that are over 45 days old and that have not been used and click the X to delete them.

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html