Profile Applicability: Level 1


Description:

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.


Rationale:

Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.


Impact:

By deleting or disabling the unused user credentials will protect your AWS resources against unapproved access.


Default Value:

By default AWS IAM will not disable credentials like password or Access keys at any moment.


Audit:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on the Credential report in the left navigation pane

  4. Click on the download report option given, which lists all your account's users and the status of their various credentials.

  5. From the report, check the user, passwoord_last_used and access_key_1_last_used_date columns to check when the credentials were last used.

  6. If you notice any user is not using credentials from the past 90 days or more you need to disable the user. To do follow the Implementation steps.


Via CLI:

aws iam get-credential-report


Remediation:

Pre-Requisites

  • Log in as an Administrator to perform the below steps

  • After auditing, if the found any user is not using credentials for 90 days or more then only perform the below steps.

Implementation Steps

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. Click on the user that you want to take action and select the Security Credentials tab

  5. In the Sign-in credentials section click on the Manage option next to the Console password

  6. Select Disable option next to Console password and click on Apply

  7. Go to the Access key section and find the key that’s status is Active and click on Make it  inactive option


Via CLI:

aws iam disable-user --user-name Myuser


Backout Plan

If you want to revoke the changes you made do follow the steps 

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. Click on the user that you want to take action and select the Security Credentials tab

  5. In the Sign-in credentials, section click on the Manage option next to the Console password

  6. Choose Enable and click on Apply

  7. Go to the Access key section and click on the Make active option

References:


CIS Controls:

16.9 Disable Dormant Accounts 

  • Automatically disable dormant accounts after a set period of inactivity.