lacework-global-41
1.12 Disable credentials unused for 45 days or greater (Automated)
Profile Applicability
• Level 1
Description
AWS Identity and Access Management (IAM) users can access AWS resources using different types of credentials, such as passwords or access keys. Best practices recommend deactivating or removing credentials unused for 45 days or greater.
Rationale
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
Audit
Perform the following to determine if unused credentials exist:
From Console
Login to the AWS Management Console
Click
Services
.Click
IAM
Click on
Users
Click the
Settings
(gear) icon.Select
Console last sign-in
,Access key last used
, andAccess Key Id
Click on
Close
.Check and ensure that
Console last sign-in
is less than 45 days ago.Note -
Never
means the user has never logged in.Check and ensure that
Access key age
is less than 45 days and thatAccess key last used
does not sayNone
If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.
From Command Line
Download Credential Report:
Run the following commands:
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16
Ensure unused credentials do not exist:
For each user having
password_enabled
set toTRUE
, ensurepassword_last_used_date
is less than45
days ago.- When
password_enabled
is set toTRUE
andpassword_last_used
is set toNo_Information
, ensurepassword_last_changed
is less than 45 days ago.
- When
For each user having an
access_key_1_active
oraccess_key_2_active
toTRUE
, ensure the correspondingaccess_key_n_last_used_date
is less than45
days ago.- When a user having an
access_key_x_active
(where x is 1 or 2) toTRUE
and corresponding access_key_x_last_used_date is set toN/A
, ensureaccess_key_x_last_rotated
is less than 45 days ago.
- When a user having an
Remediation
From Console
Perform the following to manage Unused Password (IAM user console access):
- Login to the AWS Management Console.
- Click
Services
. - Click
IAM
. - Click
Users
. - Click
Security Credentials
. - Select user whose
Console last sign-in
is greater than 45 days. - Click
Security credentials
. - In section
Sign-in credentials
,Console password
clickManage
. - Under Console Access select
Disable
. - Click
Apply
.
Perform the following to deactivate Access Keys:
- Login to the AWS Management Console.
- Click
Services
. - Click
IAM
. - Click
Users
. - Click
Security Credentials
. - Select any unused access keys that are over 45 days old and:
- Click
Make Inactive
- Click
- Select any unused access keys that are over 45 days old and:
- Click the X to
Delete
- Click the X to
You can utilize Lacework's remediation template to resolve violations of this policy. See Remediation Templates.
References
CCE-78900-8
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html