AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled


AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have not been used in 90 or more days be removed or deactivated.

Console Remediation Steps

  • Navigate to Identity and Access Management (IAM).

  • In the left navigation, click Users.

  • Click the gear icon > select Access key last used.

  • For each user that has not used their credentials in 90 days:

    • Select the user name.

    • On the Security Credentials tab, click Make Inactive for credentials that have not been used in 90 days.

    • Optionally, click the X to delete the inactive credentials.

CLI Remediation Steps

  • Set access keys older than 90 days to Inactive:

    • aws iam update-access-key --access-key-id <key-id> --status Inactive

  • Alternatively, the access key can be deleted:

    • aws iam delete-access-key --access-key-id <key-id>

  • Remove passwords older than 90 days:

    • aws iam delete-login-profile --user-name <name>

  • Alternatively, the password can be reset and the user required to reset it. The existing password must be deleted first:

    • aws iam create-login-profile --user-name <name> --password <new-password> --password-reset-required