🛡️ AWS IAM Access Key is unused🟢

Contextual name: 🛡️ IAM Access Key is unused🟢
ID: /ce/ca/aws/iam/access-key-unused
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: BEST_PRACTICE
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS IAM Access Key
- 🔌 AWS IAM Access Key - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [IAM.8] Unused IAM user credentials should be removed
Cloud Conformity: Unnecessary Access Keys

Description

Description

Identify and remove unused IAM access keys to protect AWS resources from unauthorized access. An IAM user access key pair is considered unused if it has not been used for a specified period, in this case, 90 days.

Rationale

IAM access keys provide programmatic access to AWS resources. Retaining active keys that are no longer in use increases the risk that lost or compromised credentials could be exploited. By evaluating access keys directly (rather than IAM users), security teams can precisely identify which credentials require revocation.

Audit

This policy flags an AWS IAM Access Key as INCOMPLIANT if the Last Used Date field is empty or the date is more than 90 days ago.

Inactive Access Keys are marked as INAPPLICABLE.

Remediation

Open File

Remediation

Decommission Unused IAM Access Keys

Deactivate any unnecessary or unused IAM access keys to reduce the risk of unauthorized access.

From Command Line

Run the update-access-key command to deactivate an unused or non-operational IAM access key:
aws iam update-access-key \
    --access-key-id {{access-key-id}} \
    --status Inactive
After deactivation, verify that the key is no longer required by any applications or services. Once confirmed, consider deleting the access key to permanently remove it:
aws iam delete-access-key \
    --access-key-id {{access-key-id}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.8] Unused IAM user credentials should be removed			2	no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			24	no data
💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H)	10	8	51	no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			26	no data
💼 FedRAMP High Security Controls → 💼 AC-2(3) Disable Accounts (M)(H)			6	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79	no data
💼 FedRAMP Low Security Controls → 💼 AC-2 Account Management (L)(M)(H)			5	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2 Account Management (L)(M)(H)	9		51	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			26	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(3) Disable Accounts (M)(H)			6	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100	no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			43	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	20	50	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	26	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(3) Account Management _ Disable Accounts		1	6	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			31	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			21	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72	no data
💼 PCI DSS v3.2.1 → 💼 8.1.4 Remove/disable inactive user accounts within 90 days.			2	no data
💼 PCI DSS v4.0.1 → 💼 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.			2	no data
💼 PCI DSS v4.0 → 💼 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.			2	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Decommission Unused IAM Access Keys​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Decommission Unused IAM Access Keys

From Command Line

policy.yaml

Linked Framework Sections