Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. 

Priority: Medium

Category: Centralized Controls Management 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM) 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific
  • secure baseline configurations
  • Technical: screenshot of configuration settings 

Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered :  

Are user accounts or identifiers monitored for inactivity? Are user or device identifiers disabled after a period of inactivity (30 days)? 

  • Disable Inactive Identifiers
    Description: This check ensures that identifiers (e.g., user accounts, service accounts, device identifiers) are disabled after a defined period of inactivity. Inactive identifiers refer to accounts or identifiers that have not been used for a specified period of time. Disabling inactive identifiers helps mitigate the risk of unauthorized access and potential misuse of dormant accounts. Organizations should establish policies and procedures to identify and monitor inactive identifiers and implement controls to automatically disable these identifiers after a defined period of inactivity. The defined period of inactivity should be based on the organization's risk tolerance and security requirements. By disabling inactive identifiers, organizations can reduce the attack surface and enhance the overall security posture of their systems.

More Details:

User accounts are monitored for inactivity and reviewed for deactivation of removal after significant idle period.