Ensure Credentials Unused Rule
Implement a rule to disable credentials unused for 90 days or longer.
| Rule | Ensure credentials unused for 90 days or greater are disabled |
| Framework | cis_v130 |
| Severity | ✔ Critical |
Ensure Credentials Unused for 90 Days or Greater are Disabled for CIS v1.3.0
Overview
In compliance with the Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0, it's crucial to disable AWS credentials that have not been used for 90 days or more. This practice minimizes the attack surface by ensuring that old, possibly forgotten credentials can't be used to gain unauthorized access to your AWS resources.
Rule Description
The rule requires that all IAM users' credentials—passwords and access keys—must be regularly rotated and old credentials disabled to prevent unauthorized access. If credentials have not been utilized in the last 90 days, they should be considered stale and thus disabled or removed entirely to uphold security best practices.
Troubleshooting Steps
If you encounter issues where credentials are not being correctly monitored or disabled, follow these steps:
- 1.
Verify Credential Report Generation: Make sure you have a credential report generated in your IAM dashboard.
- 2.
Analyze Report: Check the
andaccess_key_1_last_used_date
for access keys andaccess_key_2_last_used_date
for passwords in the credential report to identify unused credentials.password_last_used - 3.
Review IAM Policies and Roles: Confirm that there are no IAM policies or roles preventing the disabling or rotation of credentials.
- 4.
Check for Automation Scripts: Look for Lambda functions, Systems Manager documents, or other automation scripts that might automatically disable credentials, and ensure they are functioning as expected.
Remediation Guide
Step-by-Step Remediation
1. Generate a Credential Report
First, generate a credential report in AWS, which provides a snapshot of your account's user security status.
aws iam generate-credential-report
2. Obtain the Credential Report
Retrieve the credential report, which will be in CSV format.
aws iam get-credential-report --query 'Content' --output text | base64 --decode > credential_report.csv
3. Analyze the Report
Inspect the report for any credentials (access keys and passwords) that haven't been used in the last 90 days.
# A command like this could help you filter out credentials not used in the last 90 days, # but you'd need to craft a custom script to parse the dates correctly from the CSV.
4. Disable Unused Credentials
For any users identified in the previous step, disable the unused credentials.
- To disable an access key:
aws iam update-access-key --access-key-id [ACCESS_KEY_ID] --status Inactive --user-name [USER_NAME]
- To delete an access key:
aws iam delete-access-key --access-key-id [ACCESS_KEY_ID] --user-name [USER_NAME]
- To disable a user's password:
aws iam delete-login-profile --user-name [USER_NAME]
Note that this will prevent the user from logging in with a password and they will need to create a new one.
5. Automate the Process
Consider implementing a scheduled AWS Lambda function that runs a script to identify and disable credentials older than 90 days.
Necessary AWS IAM Permissions
To execute these commands, your IAM user will need the following permissions:
iam:GenerateCredentialReportiam:GetCredentialReportiam:UpdateAccessKeyiam:DeleteAccessKeyiam:DeleteLoginProfileFinal Verification
After performing the remediation steps, generate a new credential report and verify that no credentials have remained unused for over 90 days.
CLI Commands
Generate Credential Report:
aws iam generate-credential-report
Get Credential Report:
aws iam get-credential-report --query 'Content' --output text | base64 --decode > credential_report.csv
Disable Unused Access Key:
aws iam update-access-key --access-key-id [ACCESS_KEY_ID] --status Inactive --user-name [USER_NAME]
Delete Unused Access Key:
aws iam delete-access-key --access-key-id [ACCESS_KEY_ID] --user-name [USER_NAME]
Delete User's Password:
aws iam delete-login-profile --user-name [USER_NAME]
The above set of steps and CLI commands should help you adhere to the CIS AWS Foundations Benchmark's recommendation of disabling credentials that have been unused for 90 days or greater.