Known compromised IAM users should not be present in the account

Description

Ensure that no known compromised IAM users are present in your AWS account. When AWS identifies compromised AWS IAM user credentials, it attaches the managed policy AWSCompromisedKeyQuarantineV2 that blocks commonly abused actions, and typically opens a support case. When this happens, it’s important to make sure that the user is removed, or its credentials are disabled.

Note: This rule only triggers if the IAM user has active programmatic credentials.

Remediation

Follow the Rotating access keys AWS documentation to disable the compromised access key, and create a new one. You can also follow the AWS incident response playbook and the AWS incident response guide to assess the impact of the compromised credentials.