Rule: Ensure Credentials Unused for 45 Days Are Disabled
This rule ensures that credentials unused for 45 days are disabled to enhance security measures.
| Rule | Ensure credentials unused for 45 days or greater are disabled |
| Framework | cis_v150 |
| Severity | ✔ Medium |
Ensure Credentials Unused for 45 Days or Greater Are Disabled for CIS v1.5.0
Overview
The CIS (Center for Internet Security) benchmark version 1.5.0 includes a recommendation that any credentials, such as passwords or access keys, that have not been used in the past 45 days should be disabled. This is a security best practice to reduce the risk of old credentials being exploited by an attacker.
Rationale
Unused credentials pose a security risk as they can be compromised without the knowledge of the user or the organization. By disabling unused credentials, an organization can limit the risk of unauthorized access. This step also ensures a better management of the access lifecycle, incentivizing regular review and validation of the requirement for credentials to exist.
Step-by-Step Guide for Remediation
Identifying Unused Credentials
- 1.Log in to the AWS Management Console.
- 2.Navigate to the IAM (Identity and Access Management) dashboard.
- 3.Go to the "Users" section.
- 4.Click on the individual user to view their details.
- 5.Check the "Access Advisor" tab to see when each service was last accessed.
Alternatively, using the AWS CLI (Command Line Interface):
aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 --decode > credential_report.csv
Analyze the
credential_report.csvDisabling Unused Credentials
For Passwords:
- 1.In the IAM dashboard, choose the user.
- 2.Navigate to the "Security credentials" tab.
- 3.Click "Manage" next to the password.
- 4.Click on “Make inactive” to disable the password.
For Access Keys:
- 1.In the IAM dashboard, choose the user.
- 2.Navigate to the "Security credentials" tab.
- 3.Under "Access keys," find the key that has not been used within 45 days.
- 4.Click on “Make inactive” to disable the access key.
Using AWS CLI, you can deactivate access keys with the following command:
aws iam update-access-key --access-key-id <ACCESS_KEY_ID> --status Inactive --user-name <USER_NAME>
Be sure to replace
<ACCESS_KEY_ID><USER_NAME>Troubleshooting Steps
If you encounter issues while disabling credentials, consider the following troubleshooting steps:
- Ensure that you have the necessary permissions to disable credentials.
- Check if there are any dependencies or services that might be using these credentials.
- Confirm that the CLI is configured with the right set of permissions and the correct region.
- Verify the commands are correctly formatted and the user or key identifiers are correctly specified.
Necessary Scripts or Code
For automation and tracking, scripts can be utilized. For instance, you might set up a Lambda function triggered by a CloudWatch event that runs every day, identifying and disabling credentials that have not been used within the last 45 days.
Here's a basic example of such a script:
import boto3
from datetime import datetime, timezone, timedelta
def disable_old_credentials():
iam = boto3.client('iam')
users = iam.list_users()
today = datetime.now(timezone.utc)
for user in users['Users']:
# Checking Access Keys
access_keys = iam.list_access_keys(UserName=user['UserName'])
for key in access_keys['AccessKeyMetadata']:
if key['Status'] == 'Active':
last_used = iam.get_access_key_last_used(AccessKeyId=key['AccessKeyId'])
last_used_date = last_used['AccessKeyLastUsed']['LastUsedDate']
if today - last_used_date > timedelta(days=45):
iam.update_access_key(UserName=user['UserName'], AccessKeyId=key['AccessKeyId'], Status='Inactive')
# This function would need to be called periodically, possibly via AWS Lambda
disable_old_credentials()
Conclusion
By routinely checking and disabling unused credentials, organizations can maintain a stronger security posture and satisfy the relevant CIS benchmark requirements. The AWS console and CLI commands provide the necessary tools to perform these actions, and scripts can automate the process to ensure continuous compliance. Remember to always monitor dependencies before disabling credentials to avoid service interruptions.