IAM access keys that are inactive and older than 1 year should be removed

Description

This rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.

Rationale

This is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.

Remediation

  • Verify that the IAM user is still actively used or if it can be removed.
  • Verify that the IAM access key is still actively used or if it can be removed.
  • If the IAM user is still needed, rotate the access key. For more information, see the AWS documentation.

From the console

Follow the Rotating IAM user access keys (console) AWS documentation to rotate access keys.

From the command line

Follow the Rotating IAM user access keys (AWS CLI) AWS documentation to rotate access keys.