Description:

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

Rationale:

Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Impact:

IAM policy only through groups unifies permissions management.

Default Value:

IAM user with access keys or password.

Pre-Requisite:

Have IAM user with access keys.

Remediation:

Test Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the left navigation pane select users.

  3. Select the user. 
  4. Click the Settings (gear) icon. 
  5. Select Console last sign-in, Access key last used, and Access Key Id, click on confirm.
  6. Check and ensure that Console last sign-in is less than 45 days ago.

  7. Never means the user has never logged in.

  8. Check and ensure that Access key age is less than 45 days and that Access key last used does not say None. 

  9. If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the implementation steps

Using AWS CLI

This example opens the returned report and outputs it to the pipeline as an array of text lines:

aws iam get-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d |
cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>'

Ensure unused credentials do not exist: 

  • For each user having password_enabled set to TRUE , ensure password_last_used_date is less than 45 days ago. 

  • When password_enabled is set to TRUE and password_last_used is set to No_Information , ensure password_last_changed is less than 45 days ago. 

  • For each user having an access_key_1_active or access_key_2_active to TRUE , ensure the corresponding access_key_n_last_used_date is less than 45 days ago. 

  • When a user having an access_key_x_active (where x is 1 or 2) to TRUE and corresponding access_key_x_last_used_date is set to N/A', ensure access_key_x_last_rotated` is less than 45 days ago.


Implementation Plan

  • AWS Console Process

Perform the following to manage Unused Password (IAM user console access)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the left navigation pane select users.

  3. Click on desired user.

  4. Click security credentials.

  5. In section Sign-in credentials, Console password click Manage.

  6. Under Console Access select Disable and click Apply.


Perform the following to deactivate Access Keys:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the left navigation pane select users.

  3. Click on the user.

  4. Click on Security Credentials.

  5. Select any access keys that are over 45 days old and that have been used and. 

  6. Click on Make Inactive. 

  7. Select any access keys that are over 45 days old and that have not been used and click the X to Delete.


Using AWS CLI

  1. Access keys that are over 45 days old and that have not been used can be deleted.

  2. The following delete-access-key command deletes the specified access key (access key ID and secret access key) for the IAM user named Bob:

    aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name Bob

    Backout Plan:

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the left navigation pane select users.

    3. Click on desired user. 

    4. Click security credentials  

    5. Scroll down in Access keys Click on make active to activate the access key. 

    6. In section Sign-in credentials, Console password click Manage. 

    7. Select enable and click on apply.


    Using AWS CLI

    No CLI commands for this implementation plan