Drata validates whether there are credentials (e.g., passwords, access keys) for IAM users that have not been used in over 45 days.
AWS IAM users can access AWS resources using different types of credentials, such
as passwords or access keys. It is recommended that all credentials that have been
unused in 45 or greater days be deactivated or removed.
Disabling or removing unnecessary credentials will reduce the window of opportunity for
credentials associated with a compromised or abandoned account to be used.
ASSOCIATED DRATA CONTROL
This test is part of the Inactive User Accounts Removed control (DCF-335). Drata validates whether there are credentials (e.g., passwords, access keys) for IAM users that have not been used in over 45 days.
WHAT TO DO IF A TEST FAILS
If Drata detects that it appears that there are active credentials (e.g., passwords, access keys) for IAM users that have not been used within the last 45 days, your test will fail. To remediate a failed test:
Perform the following to manage unused passwords (IAM user console access):
Login to the AWS Management Console.
Click Services > IAM > Users > Security Credentials.
Select the user whose 'Console last sign-in' is greater than 45 days.
Click 'Security credentials'.
In section 'Sign-in credentials, Console password' click 'Manage'.
Under 'Console Access' select 'Disable' and apply these changes.
Perform the following to deactivate unused access keys:
Login to the AWS Management Console.
Click Services > IAM > Users > Security Credentials.
Select any access keys that are over 45 days old and that have been used and make them inactive.
Select any access keys that are over 45 days old and that have not been used and delete them.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.