🛡️ AWS IAM Access Key is unused🟢

• Contextual name: 🛡️ IAM Access Key is unused🟢
• ID: /ce/ca/aws/iam/access-key-unused
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM Access Key
  • 🔌 AWS IAM Access Key - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [IAM.8] Unused IAM user credentials should be removed
• Cloud Conformity: Unnecessary Access Keys

Description

Open File

Description

Identify and remove unused IAM access keys to protect AWS resources from unauthorized access. An IAM user access key pair is considered unused if it has not been used for a specified period, in this case, 90 days.

Rationale

IAM access keys provide programmatic access to AWS resources. Retaining active keys that are no longer in use increases the risk that lost or compromised credentials could be exploited. By evaluating access keys directly (rather than IAM users), security teams can precisely identify which credentials require revocation.

Audit

This policy flags an AWS IAM Access Key as INCOMPLIANT if the Last Used Date field is empty or the date is more than 90 days ago.

Inactive Access Keys are marked as INAPPLICABLE.

Remediation

Open File

Remediation

Decommission Unused IAM Access Keys

Deactivate any unnecessary or unused IAM access keys to reduce the risk of unauthorized access.

From Command Line

Run the update-access-key command to deactivate an unused or non-operational IAM access key:

aws iam update-access-key \
    --access-key-id {{access-key-id}} \
    --status Inactive

After deactivation, verify that the key is no longer required by any applications or services. Once confirmed, consider deleting the access key to permanently remove it:

aws iam delete-access-key \
    --access-key-id {{access-key-id}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.8] Unused IAM user credentials should be removed			2		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			32		no data
💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H)	10	8	59		no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32		no data
💼 FedRAMP High Security Controls → 💼 AC-2(3) Disable Accounts (M)(H)			6		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	90		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	12	85		no data
💼 FedRAMP Low Security Controls → 💼 AC-2 Account Management (L)(M)(H)			9		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			90		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2 Account Management (L)(M)(H)	9		59		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(3) Disable Accounts (M)(H)			6		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			90		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			105		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			47		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			144		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			129		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	21	58		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(3) Account Management _ Disable Accounts		1	6		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	6	66		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			36		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			27		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	78		no data
💼 PCI DSS v3.2.1 → 💼 8.1.4 Remove/disable inactive user accounts within 90 days.			2		no data
💼 PCI DSS v4.0.1 → 💼 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.			2		no data
💼 PCI DSS v4.0 → 💼 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.			2		no data