Unused IAM User Credentials Should Be Removed

You may use this guide to see if your IAM users still have active access keys or passwords that haven't been used in three months. IAM users can access AWS services using a variety of credentials, including access keys and passwords. Security Hub advises that you delete or deactivate any login information that hasn't been used in 90 days or longer. The window of opportunity for credentials connected to hacked or abandoned accounts to be utilized is less when unneeded credentials are disabled or removed.

If there are dormant accounts that have not been used recently, the rule is NON_COMPLIANT. If this rule is reevaluated within four hours after the initial examination, the outcomes will not change.

Finding and Deleting Unused Passwords

You may check details about your users' password usage using the AWS Management Console. You may utilize the console to get a credential report that contains data on when each user last used their console password if you have a lot of users. The AWS CLI and IAM API are other ways to retrieve the data.

1. Simply log into the AWS Management Console and launch the IAM console to accomplish this.
2. Go to Users, Console Last Sign-In, Settings, and Management Columns from the menu.
3. Select Console Last Sign-In. The time and date of the user's most recent AWS console sign-in are displayed here. This data can be used to locate password-holding people who haven't logged in for a predetermined amount of time. For people with passwords who have never logged in, the column says Never. None denotes users who don't have any passwords. Removing passwords that haven't been used in a while may be a smart idea.

Finding and Deleting Unused Access Keys

You may examine your users' access key use data in the AWS Management Console.

1. Open the IAM console after logging into the AWS Management Console.
2. Select Users in the menu window.
3. Choose Settings.
4. Select Access Key Last Used under Manage Columns. This displays how many days have passed since the user last made a programmatic request to AWS. This data may be used to identify users who have access keys that haven't been used in a certain amount of time. For users without access keys, None is displayed in the column. Access keys that haven't been used in a while may be worthwhile candidates for deletion.

How was our guide to removing IAM user credentials? Tell us your thoughts in the comments