1.12 Ensure credentials unused for 45 days or greater are disabled

Information

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.

Rationale:

Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Solution

From Console:
Perform the following to manage Unused Password (IAM user console access)

Login to the AWS Management Console:

Click Services

Click IAM

Click on Users

Click on Security Credentials

Select user whose Console last sign-in is greater than 45 days

Click Security credentials

In section Sign-in credentials, Console password click Manage

Under Console Access select Disable
10.Click Apply

Perform the following to deactivate Access Keys:

Login to the AWS Management Console:

Click Services

Click IAM

Click on Users

Click on Security Credentials

Select any access keys that are over 45 days old and that have been used and

Click on Make Inactive

Select any access keys that are over 45 days old and that have not been used and

Click the X to Delete

See Also

https://workbench.cisecurity.org/benchmarks/14207

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CCE|CCE-78900-8, CSCv7|16.9

Plugin: amazon_aws

Control ID: 36fae222bde50d12441a718365c54132f230cdcef8a141257d913cdce7bad148