Inactive User Account Access keys Should Be Dropped

More Info:

Inactive access keys should be dropped.

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, GDPR, NIST, SOC2, CISAWS, CBP

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent inactive user account access keys in AWS IAM using the AWS CLI, you can follow these steps:

List All IAM Users: First, list all IAM users to identify which users have access keys.
```
aws iam list-users
```
List Access Keys for Each User: For each user, list their access keys to check their status and last used date.
```
aws iam list-access-keys --user-name <username>
```
Monitor Access Key Usage: Regularly monitor the usage of access keys to identify inactive keys. You can use the following command to get the last used date of each access key.
```
aws iam get-access-key-last-used --access-key-id <access-key-id>
```

Automate Inactive Key Deactivation: Create a script to automate the deactivation of access keys that have not been used for a specified period. Here is a basic example in Python:

import boto3
from datetime import datetime, timedelta

# Initialize a session using Amazon IAM
iam = boto3.client('iam')

# Define the inactivity period (e.g., 90 days)
inactivity_period = timedelta(days=90)

# Get the list of all IAM users
users = iam.list_users()['Users']

for user in users:
    user_name = user['UserName']
    access_keys = iam.list_access_keys(UserName=user_name)['AccessKeyMetadata']
    
    for key in access_keys:
        access_key_id = key['AccessKeyId']
        last_used_response = iam.get_access_key_last_used(AccessKeyId=access_key_id)
        last_used_date = last_used_response['AccessKeyLastUsed'].get('LastUsedDate')
        
        if last_used_date:
            if datetime.now(last_used_date.tzinfo) - last_used_date > inactivity_period:
                # Deactivate the inactive access key
                iam.update_access_key(UserName=user_name, AccessKeyId=access_key_id, Status='Inactive')
        else:
            # If the key has never been used, consider it inactive
            iam.update_access_key(UserName=user_name, AccessKeyId=access_key_id, Status='Inactive')

By following these steps, you can ensure that inactive access keys are identified and deactivated, thereby enhancing the security of your AWS environment.

Using Python

To prevent inactive user account access keys in IAM using Python scripts, you can follow these steps:

Set Up AWS SDK (Boto3) and Authentication:

Install the Boto3 library if you haven’t already.
Configure your AWS credentials.

pip install boto3

import boto3
from datetime import datetime, timedelta

# Initialize a session using Amazon IAM
session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY',
    region_name='YOUR_REGION'
)

iam_client = session.client('iam')

Define the Inactivity Period:
- Set the period of inactivity after which access keys should be considered inactive.
```
INACTIVITY_PERIOD_DAYS = 90
```

List All Users and Their Access Keys:

Retrieve all IAM users and their associated access keys.

def list_users_and_keys():
    users = iam_client.list_users()
    user_keys = {}
    for user in users['Users']:
        username = user['UserName']
        access_keys = iam_client.list_access_keys(UserName=username)
        user_keys[username] = access_keys['AccessKeyMetadata']
    return user_keys

Check Last Used Date and Deactivate Inactive Keys:

Check the last used date of each access key and deactivate keys that have been inactive for the defined period.

def deactivate_inactive_keys(user_keys):
    for username, keys in user_keys.items():
        for key in keys:
            access_key_id = key['AccessKeyId']
            last_used_response = iam_client.get_access_key_last_used(AccessKeyId=access_key_id)
            last_used_date = last_used_response['AccessKeyLastUsed'].get('LastUsedDate')

            if last_used_date:
                days_inactive = (datetime.now() - last_used_date.replace(tzinfo=None)).days
                if days_inactive > INACTIVITY_PERIOD_DAYS:
                    print(f"Deactivating key {access_key_id} for user {username} due to {days_inactive} days of inactivity.")
                    iam_client.update_access_key(UserName=username, AccessKeyId=access_key_id, Status='Inactive')
            else:
                print(f"Deactivating key {access_key_id} for user {username} as it has never been used.")
                iam_client.update_access_key(UserName=username, AccessKeyId=access_key_id, Status='Inactive')

if __name__ == "__main__":
    user_keys = list_users_and_keys()
    deactivate_inactive_keys(user_keys)

This script will help you identify and deactivate inactive access keys for IAM users in AWS. Make sure to run this script periodically to ensure that inactive keys are consistently deactivated.

Additional Reading:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Inactive User Account Access keys Should Be Dropped

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: