Profile Applicability:

Level 1

Description:

AWS IAM users can authenticate using passwords (console login) and access keys (programmatic access via CLI/API). If credentials are unused for 45 days or more, they should be disabled or removed to prevent unauthorized access due to credential leakage, stale accounts, or abandoned access.

Rationale:

  • Reduces attack surface by removing unused access keys and inactive accounts.

  • Prevents credential reuse attacks for compromised or abandoned accounts.

  • Ensures compliance with CIS, SOC 2, ISO 27001, and other security frameworks.

  • Mitigates insider threats by removing unnecessary credentials for former employees or inactive accounts.

Impact:

  • Failure to disable inactive credentials increases the risk of account compromise.

  • Abandoned IAM accounts with active access credentials pose a security risk if leaked.

  • Non-compliance with security frameworks that mandate credential lifecycle management.

Default Value:

By default, AWS does not disable inactive credentials.

  • IAM users with console passwords can remain active indefinitely unless manually disabled.

  • Access keys do not expire automatically unless rotated or removed.

Pre-Requisites:

  1. IAM Administrator Access:

    • Required permissions: iam:ListUsers, iam:UpdateLoginProfile, iam:UpdateAccessKey.

  2. Access to AWS CloudTrail (optional):

    • To monitor login events and API usage.

  3. Policy for Disabling Inactive Users:

    • Implement AWS Organizations Service Control Policies (SCPs) to enforce IAM user inactivity controls.

Remediation:

Test Plan:

Using AWS Console :

  1. Login to the AWS Console as an IAM Administrator.

  2. Open the IAM Console → Click Users.

                         

  1. Click the Settings (gear icon) in the upper-right corner of the user list.                        

  2. Select:

    • Console last sign-in

    • Access key last used

    • Access Key ID

             

  1. Click Close to apply settings.

            

  1. Review the following:

    • If Console last sign-in is more than 45 days ago, the user is inactive.

    • If Access Key Age is over 45 days and Access Key Last Used is None, the key is inactive.

Using AWS Command Line:

Generate a credential report:

 aws iam generate-credential-report

Retrieve and process the credential report:

aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>'

  1. Review the following fields:

    • If password_enabled = true and password_last_used_date > 45 days, disable console access.

    • If access_key_1_active = true or access_key_2_active = true and access_key_last_used_date = N/A, disable access 

Implementation Steps:

Step 1: Disable Unused IAM Console Passwords

Using Console Steps

  1. Login to AWS Console as an IAM Administrator.

  2. Go to IAM Console → Click Users.

                       

  1. Identify users whose Console last sign-in is more than 45 days age

  2. Click on the user's Security Credentials tab.

                 

  1. Under Sign-in Credentials, click Manage.

  2. Disable Console Access → Click Apply.                  

Using Command Line Steps

  • Disable console access for inactive IAM users:
 aws iam update-login-profile --user-name <username> --password-reset-required
  • Confirm the user cannot log in by checking their credentials:
 aws iam get-login-profile --user-name <username>

Step 2: Disable Unused Access Keys

AWS Console Steps

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Users.

  3. Click on the IAM user’s name → Go to Security Credentials tab.

  4. Identify access keys older than 45 days:

    • If the key was used within 45 days, set to Inactive.

    • If the key was never used, delete it.

  5. Click Delete (X) to remove unused access keys.

AWS CLI:

  • List access keys for an IAM user:
 aws iam list-access-keys --user-name <username>
  • Deactivate keys older than 45 days:
 aws iam update-access-key --access-key-id <access-key-id> --user-name <username> --status Inactive
  • Delete keys that have never been used:
 aws iam delete-access-key --access-key-id <access-key-id> --user-name <username>


Backout Plan:

If an IAM user requires access after being disabled:
Re-enable the IAM user's password:

aws iam update-login-profile --user-name <username> --password-reset-required false

Re-activate the access key:

aws iam update-access-key --user-name <username> --access-key-id <access-key-id> --status Active

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

5.3

Disable dormant accounts after 45 days of inactivity.

CIS v7

16.9

Automatically disable dormant accounts.