Profile Applicability
Level 1
Description:
IAM credentials (access keys and passwords) that are not used for a specified period represent a potential security risk. If credentials are not actively used, they should be disabled to reduce the attack surface. This control ensures that IAM credentials that have not been used for 45 days or more are automatically disabled.
By disabling unused credentials, organizations can limit the potential for unauthorized access and prevent old credentials from being exploited if they are compromised.
Rationale:
IAM credentials that are not actively used but remain enabled can pose a security risk. If credentials are compromised or misused:
They can be used by attackers to gain unauthorized access to AWS resources.
They provide an opportunity for attackers to escalate privileges or cause disruption without being immediately detected.
Disabling credentials that are unused for more than 45 days helps reduce the risk of unauthorized access and adheres to security best practices for credential management.
Impact:
Failure to disable unused credentials can lead to:
Increased exposure to attacks from old, unused credentials.
Difficulty in tracking and auditing the active use of IAM credentials.
Potential unauthorized access to resources if an attacker gains control of unused, yet active, credentials.
Enforcing this policy helps to mitigate these risks by ensuring that unused credentials do not remain active.
Default Value:
By default, AWS does not automatically disable unused IAM credentials. This behavior must be configured via IAM policies or through automated workflows using services like AWS Config or CloudWatch.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions to view and update IAM credentials
Access to the AWS Management Console or CLI to set up automated workflows for disabling unused credentials
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Go to IAM > Users.
Review the Access keys tab for each IAM user to identify users with access keys that have not been used for 45 days or more.
Check the Last used field for each access key to identify unused credentials.
Disable or delete any credentials that have been unused for 45 days or more.
Using AWS CLI :
aws iam list-users --query "Users[?PasswordLastUsed<'$(date -d '45 days ago' +%Y-%m-%d')'].UserName" --output table
To check the LastUsed date for each IAM access key:
aws iam get-access-key-last-used --access-key-id <access-key-id> --output table
This will show the last used date for each access key. Ensure that any keys unused for 45 days or more are disabled.
Implementation Plan:
Using AWS Console:
Review IAM users:
Go to IAM > Users and review the Last used date for each user’s access keys.
Disable or delete unused credentials:
For any credentials that have not been used for 45 days or more, click Delete or Disable under the Access keys section.
Using AWS CLI:
aws iam update-access-key --user-name <user-name> --access-key-id <access-key-id> --status Inactive
To delete an unused access key:
aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>
Backout Plan:
Using AWS Console:
If credentials were disabled or deleted in error:
Go to IAM > Users > <IAM user> > Access keys.
Reactivate or create new access keys if necessary.
If there are problems with automated workflows:
Review the workflow setup and adjust the frequency or thresholds for disabling unused credentials.
Using AWS CLI:
If access keys were disabled or deleted in error:
To reactivate a disabled access key:
aws iam update-access-key --user-name <user-name> --access-key-id <access-key-id> --status Active
To re-enable programmatic access if needed:
aws iam create-access-key --user-name <user-name>