This rule mandates to disable credentials not used for 45 days. Stay compliant with strict access control measures.
Rule | Ensure credentials unused for 45 days or greater are disabled |
Framework | cis_v140 |
Severity | ✔ High |
Ensuring Credentials Unused for 45 Days or Greater are Disabled for CIS v1.4.0
Description of the Rule
The CIS (Center for Internet Security) AWS Foundations Benchmark v1.4.0 is a set of security configuration best practices for AWS. One of the recommendations (Section 1.3) states that AWS account credentials (passwords/access keys) that have not been used within the last 45 days should be disabled. This is to minimize the security risks associated with dormant accounts, which can be potentially exploited by unauthorized users.
Troubleshooting Steps
If the credentials have not been disabled after 45 days of inactivity, you may need to troubleshoot by checking:
Remediation Steps
To enforce this rule, perform the following steps:
Step 1: Identify Inactive Credentials
Using the AWS Management Console:
Using the AWS CLI:
aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 --decode
This generates and retrieves a credential report which you can then review for any access keys or passwords not used within the last 45 days.
Step 2: Disable Inactive Credentials
For users with credentials that have not been used in the last 45 days:
Using the AWS Management Console:
Using the AWS CLI: To deactivate an access key:
aws iam update-access-key --access-key-id <ACCESS_KEY_ID> --status Inactive --user-name <USER_NAME>
To disable a password:
aws iam delete-login-profile --user-name <USER_NAME>
Step 3: Automate the Process
To automate the process of identifying and disabling inactive credentials, consider the following:
An example AWS Config rule for checking the last used access keys:
{
"ConfigRuleName": "unused-credentials-check",
"Description": "Checks if IAM credentials have been unused for 45 days or greater",
"Scope": {
"ComplianceResourceTypes": [
"AWS::IAM::User"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ACCESS_KEYS_LAST_USED"
},
"InputParameters": {
"maxAccessKeyAge": "45"
},
"MaximumExecutionFrequency": "TwentyFour_Hours"
}
Note
By following these steps and ensuring that inactive credentials are consistently managed, you can maintain a strong security posture in your AWS environment.