Credentials should be deactivated or removed if unused for 45 days

Description

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have not been used in 45 or more days be deactivated or removed.

Rationale

Disabling or removing unneeded credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Remediation

From the console

Perform the following to manage unused passwords (IAM user console access).

  1. Log into the AWS Management Console.
  2. Click Services and select IAM.
  3. Click on Users and select Security Credentials.
  4. Select the user whose Console last sign-in is greater than 45 days.
  5. Click Security credentials.
  6. In the Sign-in credentials, Console password section, click Manage.
  7. Under Console Access, select Disable, then click Apply.

Perform the following to deactivate Access Keys:

  1. Log into the AWS Management Console.
  2. Click Services and select IAM.
  3. Click on Users and select Security Credentials.
  4. Select any access keys that are over 45 days old and that have been used and click Make Inactive.
  5. Select any access keys that are over 45 days old and that have not been used and click the X to delete them.

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html