Rule: Ensure credentials unused for 45 days are disabled
This rule mandates to disable credentials not used for 45 days. Stay compliant with strict access control measures.
| Rule | Ensure credentials unused for 45 days or greater are disabled |
| Framework | cis_v140 |
| Severity | ✔ High |
Ensuring Credentials Unused for 45 Days or Greater are Disabled for CIS v1.4.0
Description of the Rule
The CIS (Center for Internet Security) AWS Foundations Benchmark v1.4.0 is a set of security configuration best practices for AWS. One of the recommendations (Section 1.3) states that AWS account credentials (passwords/access keys) that have not been used within the last 45 days should be disabled. This is to minimize the security risks associated with dormant accounts, which can be potentially exploited by unauthorized users.
Troubleshooting Steps
If the credentials have not been disabled after 45 days of inactivity, you may need to troubleshoot by checking:
- 1.the last used date of the credentials,
- 2.the IAM policies and rules that automate the process of disabling inactive credentials,
- 3.CloudTrail logs for any attempted access using those credentials.
Remediation Steps
To enforce this rule, perform the following steps:
Step 1: Identify Inactive Credentials
Using the AWS Management Console:
- 1.Log in to the AWS Management Console.
- 2.Go to the IAM dashboard.
- 3.In the navigation pane, select "Users".
- 4.For each user, review the "Access key age" and "Password last used" to identify any credentials older than 45 days.
Using the AWS CLI:
aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 --decode
This generates and retrieves a credential report which you can then review for any access keys or passwords not used within the last 45 days.
Step 2: Disable Inactive Credentials
For users with credentials that have not been used in the last 45 days:
Using the AWS Management Console:
- 1.Go to the IAM dashboard.
- 2.Select "Users".
- 3.Choose the user with the inactive credential.
- 4.Click on the "Security credentials" tab.
- 5.Either deactivate the user’s access keys or click on "Manage" to disable the user's password.
Using the AWS CLI: To deactivate an access key:
aws iam update-access-key --access-key-id <ACCESS_KEY_ID> --status Inactive --user-name <USER_NAME>
To disable a password:
aws iam delete-login-profile --user-name <USER_NAME>
Step 3: Automate the Process
To automate the process of identifying and disabling inactive credentials, consider the following:
- Write custom AWS Lambda functions that are triggered by CloudWatch Events to check for inactive credentials and disable them.
- Use AWS Config Rules to continuously monitor and remediate inactive credentials.
An example AWS Config rule for checking the last used access keys:
{
"ConfigRuleName": "unused-credentials-check",
"Description": "Checks if IAM credentials have been unused for 45 days or greater",
"Scope": {
"ComplianceResourceTypes": [
"AWS::IAM::User"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ACCESS_KEYS_LAST_USED"
},
"InputParameters": {
"maxAccessKeyAge": "45"
},
"MaximumExecutionFrequency": "TwentyFour_Hours"
}
Note
- Monitor activity regularly and enforce the policy strictly to stay compliant with CIS benchmarks.
- Ensure you have taken the necessary backups of any key material or configurations before disabling any credentials.
- Always follow the principle of least privilege and limit the number of users with access to root credentials.
By following these steps and ensuring that inactive credentials are consistently managed, you can maintain a strong security posture in your AWS environment.