iCompaas Support

Profile Applicability: Level 1

Description:

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.

Rationale:

Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Impact:

By deleting or disabling the unused user credentials will protect your AWS resources against unapproved access.

Default Value:

By default AWS IAM will not disable credentials like password or Access keys at any moment.

Pre-Requisites:

• Log in as an Administrator to perform the below steps

• After auditing, if the found any user is not using credentials for 90 days or more then only perform the Implementation steps.

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to IAM service https://console.aws.amazon.com/iam/.

3. Click on the Credential report in the left navigation pane
   

4. Click on the download report option given, which lists all your account's users

5. From the report, check the user, passwoord_last_used, and access_key_1_last_used_date columns to check when the credentials were last used.

6. If you notice any user is not using credentials from the past 90 days or more you need to disable the user. To do follow the Implementation steps.

Using AWS CLI:

Using the below command we can download the report 

aws iam get-credential-report

Implementation Steps:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to IAM service https://console.aws.amazon.com/iam/.

3. Click on Users in the left navigation pane
   

4. Click on the user that you want to take action and select the Security Credentials tab
   

5. In the Sign-in credentials tab, in the console sign-in section, click Enable console access.
   

6. Select Disable option and click on Apply.
   
   

7. Go to the Access key section and find the key that’s status is Active and click on Deactivate option.
   

Using AWS CLI: 

aws iam disable-user --user-name Myuser

Backout Plan:

If you want to revoke the changes you made do follow the steps 

1. Sign in to the AWS Management Console.

2. Navigate to IAM service https://console.aws.amazon.com/iam/.

3. Click on Users in the left navigation pane
   

4. Click on the user that you want to take action and select the Security Credentials tab
   

5. In the Sign-in credentials, section click on the Manage option next to the Console password
   

6. Select Enable option next to Console password, set the password, and check the Require password reset checkbox and click on Apply.

7. Go to the Access key section and click on Activate option
   

References:

• Security best practices in IAM - AWS Identity and Access Management 
• AWS account root user - AWS Identity and Access Management 

CIS Controls:

16.9 Disable Dormant Accounts 

• Automatically disable dormant accounts after a set period of inactivity.