Back to All Checks
Medium IAM

Unused IAM user credentials should be removed

CISNISTPCI DSS

Description

Checks whether IAM users have passwords or active access keys that have not been used for 90 days. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Remediation

To remove unused IAM user credentials and disable password login, follow these steps:

Steps

  1. Log into the AWS Management Console with an account that has administrative privileges.
  2. Navigate to the IAM dashboard and select 'Users' from the navigation pane.
  3. Click on the username to view their security credentials.
  4. Under the 'Access keys' section, check the 'Last used' date. If the credentials have not been used for a significant period (e.g., 90 days), consider removing them.
  5. Communicate with the IAM user (if necessary) to ensure they are aware of the credential changes and to coordinate the creation of new credentials if needed.
  6. To remove an access key, click on 'Make inactive' for keys that are not currently in use, and then 'Delete' to permanently remove them.
  7. Under the 'Security credentials' tab, check if the user has 'Console sign-in' enabled. If the password has not been used for a significant period, disable console login by setting 'Disable console access'.
  8. Additionally, review other credentials such as SSH keys, HTTPS Git credentials for AWS CodeCommit, and signing certificates. Remove any that are outdated or unused.
  9. Regularly audit IAM user credentials to ensure compliance with your organization's security policies and practices.

Compliance

CISNISTPCI DSS
Start Your Free Security Check