🛡️ AWS IAM User has no active credentials🟢

• Contextual name: 🛡️ User has no active credentials🟢
• ID: /ce/ca/aws/iam/user-unused
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM User
  • 🔌 AWS IAM User - credReport.extracts.yaml
  • 🔌 AWS IAM User - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Unused IAM User

Description

Open File

Description

Identify AWS IAM users that exist in the account but do not have an enabled console password and do not have any active programmatic access keys.

Rationale

Although IAM users without active credentials cannot currently be used to access AWS resources, their continued presence introduces several risks:

1. Administrative Overhead: These users add unnecessary clutter to the IAM console, credential reports, and access reviews.
2. Permission Creep: If such users remain members of IAM groups or have inline policies attached, those permissions could become immediately effective if a password or access key is later created.
3. Security Blind Spots: Dormant accounts are rarely monitored. An attacker with iam:CreateAccessKey permissions could exploit these users to establish persistence without triggering alerts for an active human user.

Audit

This policy marks an AWS IAM User as INCOMPLIANT if all of the following Cred Report Attributes are set to false:

• password_enabled
• access_key_1_active

... see more

Remediation

Open File

Remediation

Remove Unused IAM Users

Remove IAM users that do not have an enabled console password or active programmatic access keys to reduce administrative overhead and minimize the identity attack surface.

From Console

1. Sign in to the AWS Management Console.
2. Navigate to the IAM service.
3. In the left navigation pane, choose Users.
4. Select the IAM user you want to remove (refer to the Audit section to identify applicable users).
5. From the User actions dropdown menu, select Delete user.
6. In the Delete user dialog, review the associated resources and confirm by selecting Yes, delete.
7. Repeat steps 4–6 for each unused IAM user in the account.

From Command Line

Run the delete-user command to remove a specified IAM user:

aws iam delete-user \
    --user-name {{user-name}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Well-Architected → 💼 SEC03-BP06 Manage access based on lifecycle			2		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			23		no data