Skip to main content

lacework-global-121

Identity and Access Management (IAM) user should not be inactive for more than 30 days

Description

IAM users can access the AWS console using a password with optional Multi-Factor Authentication (MFA), and can use keys for programmatic access. Best practices recommend turning off console and programmatic access for IAM users who have been inactive for more than 30 days.

Remediation

Perform the following to manage unused credentials:

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Click IAM and select Users.

  4. Open the IAM user of interest and select Security Credentials tab.

  5. If the user has an unused password, under the Sign-in credentials section, click Manage against Console password.

  6. Select the Disable option for Console access and click Apply.

  7. If there is an unused access key, then click Make inactive against the access key.

  8. In the pop-up window, click Deactivate to confirm.

Last updated on