Description:

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused for 30 or greater days be removed or deactivated.

Rationale:

Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Impact:

Deleting or disabling the unused user credentials will protect your AWS resources against unapproved access.

Default Value:

By default AWS IAM will not disable credentials like passwords or Access keys at any moment.

Pre-Requisites

  • Log in as an Admin to perform the below steps

  • After auditing, if the found any user is not using credentials for 90 days or more then only perform the below steps.



Remediation:

Test Plan

  1. Login to your AWS account.

  2. Navigate to the IAM service at: https://console.aws.amazon.com/iam

  3. On the left-hand panel, navigate to Access reports, then select a Credential report.

  4.  Select the button Download Report. 

  5. Open up the excel spreadsheet that was downloaded and check the user,  access_key_1_last_used_date, and passwoord_last_used date columns to check when the credentials were last used.
  6. If you notice any user is not using credentials for the past 30 days or more you need to disable the password. To do follow the Implementation steps.


Using AWS CLI:

Run the get-credential-report command to obtain the IAM credential report for the AWS account that you want to examine. A credential report is a CSV document that lists all users (root and IAM users) available in your AWS account and the current status of their credentials:

aws iam get-credential-report

The command output should return the document in a TEXT/CSV format. 

{
    "Content": "abcd1234abcd1234abcd1234 ... abcd1234abcd1234abcd1234=",
    "GeneratedTime": "2019-04-04T11:21:00Z",
    "ReportFormat": "text/csv"
}


Implementation Steps

  1. Login into your AWS account (with your root account)

  2. Navigate to the IAM service at: https://console.aws.amazon.com/iam

  3. On the left-hand panel, select Users.

  4. Look under the column Last activity is greater than 30 days. 


For each account that you have determined to be stale, select the link of that IAM user.

  1. Under Summary select Security credentials then next to Console password select Manage. 
  2. Under Manage console access next to Console access select Disable. 
  3. Go to the Access key section and find the key that’s status is Active and click on the Make it the inactive option
  4. Repeat the outlined steps for each user account that has passed the 30 days.


 

Using AWS CLI:

Set access keys older than 30 days to Inactive:

aws iam update-access-key --access-key-id <key-id> --status Inactive

Alternatively, the access key can be deleted:

aws iam delete-access-key --access-key-id <key-id>

Remove passwords older than 30 days:

aws iam delete-login-profile
  --user-name <name>

Alternatively, the password can be reset and the user is required to reset it. The existing password must be deleted first:

aws iam create-login-profile --user-name <name> --password <new-password> --password-reset-required


Backout Plan

If you want to revoke the changes you made do follow the steps 

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on Users in the left navigation pane

  4. Click on the user that you want to take action and select the Security Credentials tab

  5. In the Sign-in credentials, section click on the Manage option next to the Console password

  6. Choose Enable and click on Apply

  7. Go to the Access key section and click on the Make active option

References: