Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. 

Priority: High   

Category: Centralized Controls Management 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM)

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific
  • secure baseline configurations
  • Technical: screenshot of configuration settings  

Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered :  

Are user accounts or identifiers monitored for inactivity? Are user or device identifiers disabled after a period of inactivity (30 days)?


  • Disable Inactive Identifiers
    Description: This check ensures that identifiers (e.g., user accounts, service accounts, device identifiers) are disabled after a defined period of inactivity. Inactive identifiers refer to accounts or identifiers that have not been used for a specified period of time. Disabling inactive identifiers helps mitigate the risk of unauthorized access and potential misuse of dormant accounts. Organizations should establish policies and procedures to identify and monitor inactive identifiers and implement controls to automatically disable these identifiers after a defined period of inactivity. The defined period of inactivity should be based on the organization's risk tolerance and security requirements. By disabling inactive identifiers, organizations can reduce the attack surface and enhance the overall security posture of their systems.

More Details:   

User accounts monitored for inactivity and reviewed for deactivation of removal after significant idle period.