Profile Applicability:
Level 1
Description:
AWS IAM users can authenticate using passwords (console login) and access keys (programmatic access via CLI/API). If credentials are unused for 45 days or more, they should be disabled or removed to prevent unauthorized access due to credential leakage, stale accounts, or abandoned access.
Rationale:
Reduces attack surface by removing unused access keys and inactive accounts.
Prevents credential reuse attacks for compromised or abandoned accounts.
Ensures compliance with CIS, SOC 2, ISO 27001, and other security frameworks.
Mitigates insider threats by removing unnecessary credentials for former employees or inactive accounts.
Impact:
Failure to disable inactive credentials increases the risk of account compromise.
Abandoned IAM accounts with active access credentials pose a security risk if leaked.
Non-compliance with security frameworks that mandate credential lifecycle management.
Default Value:
By default, AWS does not disable inactive credentials.
IAM users with console passwords can remain active indefinitely unless manually disabled.
Access keys do not expire automatically unless rotated or removed.
Pre-Requisites:
IAM Administrator Access:
Required permissions: iam:ListUsers, iam:UpdateLoginProfile, iam:UpdateAccessKey.
Access to AWS CloudTrail (optional):
To monitor login events and API usage.
Policy for Disabling Inactive Users:
Implement AWS Organizations Service Control Policies (SCPs) to enforce IAM user inactivity controls.
Remediation:
Test Plan:
Using AWS Console :
Login to the AWS Console as an IAM Administrator.
Open the IAM Console → Click Users.
Click the Settings (gear icon) in the upper-right corner of the user list.
Select:
Console last sign-in
Access key last used
Access Key ID
Click Close to apply settings.
Review the following:
If Console last sign-in is more than 45 days ago, the user is inactive.
If Access Key Age is over 45 days and Access Key Last Used is None, the key is inactive.
Using AWS Command Line:
Generate a credential report:
aws iam generate-credential-report
Retrieve and process the credential report:
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>'
Review the following fields:
If password_enabled = true and password_last_used_date > 45 days, disable console access.
If access_key_1_active = true or access_key_2_active = true and access_key_last_used_date = N/A, disable access
Implementation Steps:
Step 1: Disable Unused IAM Console Passwords
Using Console Steps
Login to AWS Console as an IAM Administrator.
Go to IAM Console → Click Users.
Identify users whose Console last sign-in is more than 45 days age
Click on the user's Security Credentials tab.
Under Sign-in Credentials, click Manage.
Disable Console Access → Click Apply.
Using Command Line Steps
- Disable console access for inactive IAM users:
aws iam update-login-profile --user-name <username> --password-reset-required
- Confirm the user cannot log in by checking their credentials:
aws iam get-login-profile --user-name <username>
Step 2: Disable Unused Access Keys
AWS Console Steps
Login to AWS Console as an IAM Administrator.
Open IAM Console → Click Users.
Click on the IAM user’s name → Go to Security Credentials tab.
Identify access keys older than 45 days:
If the key was used within 45 days, set to Inactive.
If the key was never used, delete it.
Click Delete (X) to remove unused access keys.
AWS CLI:
- List access keys for an IAM user:
aws iam list-access-keys --user-name <username>
- Deactivate keys older than 45 days:
aws iam update-access-key --access-key-id <access-key-id> --user-name <username> --status Inactive
- Delete keys that have never been used:
aws iam delete-access-key --access-key-id <access-key-id> --user-name <username>
Backout Plan:
If an IAM user requires access after being disabled:
Re-enable the IAM user's password:
aws iam update-login-profile --user-name <username> --password-reset-required false
Re-activate the access key:
aws iam update-access-key --user-name <username> --access-key-id <access-key-id> --status Active
References: