AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled

Description

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have not been used in 90 or more days be removed or deactivated.

Console Remediation Steps

  • Navigate to Identity and Access Management (IAM).

  • In the left navigation, click Users.

  • Click the gear icon > select Access key last used.

  • For users that have not used their credentials in 90 days, check the box next to the user’s name and click Delete user.

CLI Remediation Steps

  • Set access keys older than 90 days to Inactive:

    • aws iam update-access-key --access-key-id <key-id> --status Inactive

  • Alternatively, the access key can be deleted:

    • aws iam delete-access-key --access-key-id <key-id>

  • Remove passwords older than 90 days:

    • aws iam delete-login-profile --user-name <name>

  • Alternatively, the password can be reset and the user required to reset it. The existing password must be deleted first:

    • aws iam create-login-profile --user-name <name> --password <new-password> --password-reset-required