AWS-IAM-Credentials-Unused-Max-Days

Severity: Medium

Description: This control ensures that  IAM Users having console password and have not used credentials for 90 days or more. It is recommended that all users having console credentials that have been unused in 90 or greater days be removed or deactivated.

Remediation Steps:

Perform following to update IAM policy for IAM user :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to IAM console.

  3. In the navigation pane, choose Users.

  4. In the User Name list, Choose the name of the user whose password have not been used in 90 Days.

  5. Choose the Security credentials tab.

  6. Under Sign-in credentials, choose Manage next to Console password.

  7. For Console access, choose Disable.

  8. Choose Apply.

Important:

  • Changes in account credentials may take upto 4 hours to get reflected in the AWS IAM evaluations

Reference:

  • CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.12

Blue Hexagon Proprietary