Skip to main content

πŸ“ AWS IAM User with credentials unused for 45 days or more is not disabled 🟒

  • Contextual name: πŸ“ User with credentials unused for 45 days or more is not disabled 🟒
  • ID: /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more
  • Located in: πŸ“ AWS IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-ac93bf151

Logic​

Description​

Open File

Description​

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.

Rationale​

Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Audit​

Perform the following to determine if unused credentials exist:

From Console​
  1. Login to the AWS Management Console.
  2. Click Services.
  3. Click IAM.
  4. Click on Users.
  5. Click the Settings (gear) icon.
  6. Select Console last sign-in, Access key last used, and Access Key Id.
  7. Click on Close.
  8. Check and ensure that Console last sign-in is less than 45 days ago.

Note: Never means the user has never logged in.

  1. Check and ensure that Access key age is less than 45 days and that Access key last used does not say None.

If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.

... see more

Remediation​

Open File

Remediation​

From Console​

Perform the following to manage Unused Password (IAM user console access):

  1. Login to the AWS Management Console.
  2. Click Services.
  3. Click IAM.
  4. Click on Users.
  5. Click on Security Credentials.
  6. Select user whose Console last sign-in is greater than 45 days.
  7. Click Security credentials.
  8. In section Sign-in credentials, Console password click Manage.
  9. Under Console Access select Disable.
  10. Click Apply.

Perform the following to deactivate Access Keys:

  1. Login to the AWS Management Console.
  2. Click Services.
  3. Click IAM.
  4. Click on Users.
  5. Click on Security Credentials.
  6. Select any access keys that are over 45 days old and that have been used and click on Make Inactive.
  7. Select any access keys that are over 45 days old and that have not been used and click the X to Delete.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.8] Unused IAM user credentials should be removed1
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.12 Ensure credentials unused for 45 days or greater are disabled1
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.12 Ensure credentials unused for 45 days or greater are disabled - Level 1 (Automated)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.12 Ensure credentials unused for 45 days or greater are disabled - Level 1 (Automated)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.12 Ensure credentials unused for 45 days or greater are disabled - Level 1 (Automated)1
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.12 Ensure credentials unused for 45 days or more are disabled (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.12 Ensure credentials unused for 45 days or more are disabled (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.11 Ensure credentials unused for 45 days or more are disabled (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management18
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)10931
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3546
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81133
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)3
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)46
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)931
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)46
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)633
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties57
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected66
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2 Account Management131730
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(3) Account Management _ Disable Accounts14
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15417
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control7
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control10
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102126
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.1.4 Remove/disable inactive user accounts within 90 days.1
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.1