User Account Without Any Usage Should Be Removed

More Info:

Any unused IAM user without console access and API access should be removed as an extra security measure for protecting your AWS resources against unapproved access.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWS, CBP, HIPAA, SOC2, ISO27001, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent user accounts without any usage in AWS IAM using the AWS CLI, you can follow these steps:

List All IAM Users: Use the following command to list all IAM users in your AWS account. This will help you identify which users exist and need to be monitored for activity.
```
aws iam list-users
```
Monitor User Activity: Regularly check the last activity of each IAM user. You can use the following command to get the last used information for each user. This will help you identify users who have not used their credentials recently.
```
aws iam get-user --user-name <username>
```

Automate Inactive User Detection: Create a script to automate the detection of inactive users. You can use AWS CLI commands within a Python script to check the last activity of each user and flag those who have not been active for a specified period. Example Python script snippet:

import boto3
from datetime import datetime, timedelta

iam = boto3.client('iam')
users = iam.list_users()['Users']

for user in users:
    username = user['UserName']
    last_used = iam.get_user(UserName=username)['User'].get('PasswordLastUsed', None)
    if last_used:
        last_used_date = last_used.replace(tzinfo=None)
        if datetime.now() - last_used_date > timedelta(days=90):  # Example: 90 days of inactivity
            print(f"User {username} has been inactive for more than 90 days.")

Implement a Policy for Regular Review: Establish a policy to regularly review IAM users and their activity. This can be done by scheduling the above script to run periodically (e.g., using AWS Lambda and CloudWatch Events) to ensure continuous monitoring and prompt action on inactive users. Example of scheduling a Lambda function using AWS CLI:

aws events put-rule --schedule-expression "rate(7 days)" --name "InactiveUserCheck"
aws lambda add-permission --function-name <lambda-function-name> --statement-id <unique-id> --action 'lambda:InvokeFunction' --principal events.amazonaws.com --source-arn <rule-arn>
aws events put-targets --rule "InactiveUserCheck" --targets "Id"="<target-id>","Arn"="<lambda-function-arn>"

By following these steps, you can effectively prevent user accounts without any usage from remaining in your AWS IAM, ensuring better security and management of your cloud resources.

Using Python

To prevent user accounts without any usage in IAM from existing in AWS, Azure, and GCP using Python scripts, you can follow these steps:

AWS (Amazon Web Services)

List All IAM Users: Use the boto3 library to list all IAM users.

import boto3

iam_client = boto3.client('iam')

def list_iam_users():
    response = iam_client.list_users()
    return response['Users']

users = list_iam_users()

Check User Activity: Check the last activity of each user by examining their access keys and login profile.

from datetime import datetime, timedelta

def get_user_last_activity(user_name):
    access_keys = iam_client.list_access_keys(UserName=user_name)['AccessKeyMetadata']
    last_used = None
    for key in access_keys:
        key_last_used = iam_client.get_access_key_last_used(AccessKeyId=key['AccessKeyId'])['AccessKeyLastUsed']
        if 'LastUsedDate' in key_last_used:
            if not last_used or key_last_used['LastUsedDate'] > last_used:
                last_used = key_last_used['LastUsedDate']
    return last_used

for user in users:
    last_activity = get_user_last_activity(user['UserName'])
    if last_activity and last_activity < datetime.now() - timedelta(days=90):
        print(f"User {user['UserName']} has not been active for 90 days.")

Azure (Microsoft Azure)

List All Users: Use the azure-identity and azure-graphrbac libraries to list all users.

from azure.identity import DefaultAzureCredential
from azure.graphrbac import GraphRbacManagementClient

credential = DefaultAzureCredential()
client = GraphRbacManagementClient(credential, 'YOUR_TENANT_ID')

def list_users():
    users = client.users.list()
    return list(users)

users = list_users()

Check User Activity: Check the last sign-in activity of each user.

from datetime import datetime, timedelta

def get_user_last_sign_in(user):
    # Assuming you have a way to get the last sign-in date
    # This might require additional API calls or logs
    last_sign_in = user.sign_in_activity.last_sign_in_date_time
    return last_sign_in

for user in users:
    last_sign_in = get_user_last_sign_in(user)
    if last_sign_in and last_sign_in < datetime.now() - timedelta(days=90):
        print(f"User {user.user_principal_name} has not signed in for 90 days.")

GCP (Google Cloud Platform)

List All Users: Use the google-auth and google-api-python-client libraries to list all users.

from google.oauth2 import service_account
from googleapiclient.discovery import build

credentials = service_account.Credentials.from_service_account_file('path/to/your/service-account-file.json')
service = build('admin', 'directory_v1', credentials=credentials)

def list_users():
    results = service.users().list(customer='my_customer', maxResults=200, orderBy='email').execute()
    return results.get('users', [])

users = list_users()

Check User Activity: Check the last login time of each user.

from datetime import datetime, timedelta

def get_user_last_login(user):
    last_login = user.get('lastLoginTime')
    if last_login:
        return datetime.strptime(last_login, '%Y-%m-%dT%H:%M:%S.%fZ')
    return None

for user in users:
    last_login = get_user_last_login(user)
    if last_login and last_login < datetime.now() - timedelta(days=90):
        print(f"User {user['primaryEmail']} has not logged in for 90 days.")

These scripts will help you identify users who have not been active for a specified period (e.g., 90 days). You can then take appropriate actions, such as notifying administrators or automatically deactivating these accounts.

Additional Reading:

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

User Account Without Any Usage Should Be Removed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

AWS (Amazon Web Services)

Azure (Microsoft Azure)

GCP (Google Cloud Platform)

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: