IAM user credentials should be removed if not used within 45 days
Description
This control checks whether IAM users have passwords or active access keys that have not been used for 45 days or more. Users can access AWS resources using various credentials, including passwords and access keys. CIS recommends removing or deactivating all credentials that have been unused for 45 days or more. Disabling or removing unnecessary credentials helps reduce the window of opportunity for compromised or abandoned accounts to be exploited. The AWS Config rule utilizes the GetCredentialReport and GenerateCredentialReport API operations. These reports are updated every four hours, meaning that changes to IAM users may take up to four hours to be reflected in this control's findings.
Remediation
To remediate unused IAM user credentials, you need to remove or deactivate credentials that have been unused for 45 days or more.
Steps
- Navigate to the AWS IAM console
- Go to 'Users' in the left navigation
- Review the credential report for each user
- Identify users with credentials unused for 45+ days
- For unused passwords: Remove or reset the password
- For unused access keys: Deactivate or delete the access keys
- Consider removing the entire user if no longer needed
- Document the credential removal for audit purposes
- Set up automated monitoring for future unused credentials
- Review and update IAM policies to prevent credential accumulation