To prevent inactive user account access keys in IAM using the AWS Management Console, follow these steps:
Enable Access Key Rotation Policy:
Navigate to the IAM Dashboard in the AWS Management Console.
Go to “Policies” and create a new policy or modify an existing one.
Define a policy that enforces access key rotation, ensuring that keys older than a specified period (e.g., 90 days) are rotated or deactivated.
Set Up CloudWatch Alarms:
Go to the CloudWatch Dashboard.
Create a new alarm that monitors IAM access key usage.
Set the alarm to trigger if an access key has not been used within a specified period (e.g., 30 days).
Configure notifications to alert administrators when the alarm is triggered.
Enable IAM Credential Reports:
In the IAM Dashboard, go to “Credential Report.”
Generate a credential report to review the status of all IAM users’ access keys.
Schedule regular reviews of this report to identify and take action on inactive access keys.
Implement IAM Access Analyzer:
Navigate to the IAM Dashboard and select “Access Analyzer.”
Enable Access Analyzer to continuously monitor and analyze permissions granted using access keys.
Review findings and take action to remove or deactivate any unnecessary or inactive access keys.
By following these steps, you can proactively manage and prevent inactive user account access keys in AWS IAM.
Using CLI
To prevent inactive user account access keys in AWS IAM using the AWS CLI, you can follow these steps:
List All IAM Users:
First, list all IAM users to identify which users have access keys.
aws iam list-users
List Access Keys for Each User:
For each user, list their access keys to check their status and last used date.
aws iam list-access-keys --user-name <username>
Monitor Access Key Usage:
Regularly monitor the usage of access keys to identify inactive keys. You can use the following command to get the last used date of each access key.
aws iam get-access-key-last-used --access-key-id <access-key-id>
Automate Inactive Key Deactivation:
Create a script to automate the deactivation of access keys that have not been used for a specified period. Here is a basic example in Python:
import boto3from datetime import datetime, timedelta# Initialize a session using Amazon IAMiam = boto3.client('iam')# Define the inactivity period (e.g., 90 days)inactivity_period = timedelta(days=90)# Get the list of all IAM usersusers = iam.list_users()['Users']for user in users: user_name = user['UserName'] access_keys = iam.list_access_keys(UserName=user_name)['AccessKeyMetadata'] for key in access_keys: access_key_id = key['AccessKeyId'] last_used_response = iam.get_access_key_last_used(AccessKeyId=access_key_id) last_used_date = last_used_response['AccessKeyLastUsed'].get('LastUsedDate') if last_used_date: if datetime.now(last_used_date.tzinfo) - last_used_date > inactivity_period: # Deactivate the inactive access key iam.update_access_key(UserName=user_name, AccessKeyId=access_key_id, Status='Inactive') else: # If the key has never been used, consider it inactive iam.update_access_key(UserName=user_name, AccessKeyId=access_key_id, Status='Inactive')
By following these steps, you can ensure that inactive access keys are identified and deactivated, thereby enhancing the security of your AWS environment.
Using Python
To prevent inactive user account access keys in IAM using Python scripts, you can follow these steps:
Set Up AWS SDK (Boto3) and Authentication:
Install the Boto3 library if you haven’t already.
Configure your AWS credentials.
pip install boto3
import boto3from datetime import datetime, timedelta# Initialize a session using Amazon IAMsession = boto3.Session( aws_access_key_id='YOUR_ACCESS_KEY', aws_secret_access_key='YOUR_SECRET_KEY', region_name='YOUR_REGION')iam_client = session.client('iam')
Define the Inactivity Period:
Set the period of inactivity after which access keys should be considered inactive.
INACTIVITY_PERIOD_DAYS = 90
List All Users and Their Access Keys:
Retrieve all IAM users and their associated access keys.
def list_users_and_keys(): users = iam_client.list_users() user_keys = {} for user in users['Users']: username = user['UserName'] access_keys = iam_client.list_access_keys(UserName=username) user_keys[username] = access_keys['AccessKeyMetadata'] return user_keys
Check Last Used Date and Deactivate Inactive Keys:
Check the last used date of each access key and deactivate keys that have been inactive for the defined period.
def deactivate_inactive_keys(user_keys): for username, keys in user_keys.items(): for key in keys: access_key_id = key['AccessKeyId'] last_used_response = iam_client.get_access_key_last_used(AccessKeyId=access_key_id) last_used_date = last_used_response['AccessKeyLastUsed'].get('LastUsedDate') if last_used_date: days_inactive = (datetime.now() - last_used_date.replace(tzinfo=None)).days if days_inactive > INACTIVITY_PERIOD_DAYS: print(f"Deactivating key {access_key_id} for user {username} due to {days_inactive} days of inactivity.") iam_client.update_access_key(UserName=username, AccessKeyId=access_key_id, Status='Inactive') else: print(f"Deactivating key {access_key_id} for user {username} as it has never been used.") iam_client.update_access_key(UserName=username, AccessKeyId=access_key_id, Status='Inactive')if __name__ == "__main__": user_keys = list_users_and_keys() deactivate_inactive_keys(user_keys)
This script will help you identify and deactivate inactive access keys for IAM users in AWS. Make sure to run this script periodically to ensure that inactive keys are consistently deactivated.
In the navigation pane, choose “Users”. This will display a list of all IAM users associated with the current AWS account.
Click on the name of the user for which you want to check the access keys. This will open the summary page for the selected IAM user.
In the “User Security Credentials” section, check the “Access Key” list. If there are any access keys that are not being used (i.e., their status is “Inactive”), these should be dropped as they represent a potential security risk.
Using CLI
Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands:Installation: pip install awscliConfiguration: aws configure
List all IAM users: Use the following AWS CLI command to list all the IAM users in your AWS account:aws iam list-users --query 'Users[*].UserName' --output text
List access keys for each user: For each user, list all the access keys. You can do this by running the following command for each user:aws iam list-access-keys --user-name <username>Replace <username> with the name of the user.
Check the status of each access key: In the output of the previous command, check the ‘Status’ field for each access key. If the status is ‘Inactive’, then the access key is not being used and should be dropped.
Using Python
Import the necessary AWS SDK for Python (Boto3) modules and establish a client for IAM.
import boto3from botocore.exceptions import ClientError# Create IAM clientiam = boto3.client('iam')
Use the list_users method to retrieve all the users in the IAM.
try: response = iam.list_users()except ClientError as e: print(e)
For each user, use the list_access_keys method to retrieve all the access keys associated with the user.
for user in response['Users']: access_keys = iam.list_access_keys(UserName=user['UserName'])
Check the Status of each access key. If the status is ‘Inactive’, print out the user name and access key ID.
for key in access_keys['AccessKeyMetadata']: if key['Status'] == 'Inactive': print(f"Inactive access key {key['AccessKeyId']} found for user {user['UserName']}")
This script will help you identify all the inactive user account access keys in IAM. Please note that you need to have the necessary permissions to list users and access keys in IAM.
To remediate the issue of inactive user account access keys in AWS, you can follow the below steps using AWS console:
Login to the AWS management console using your credentials.
Navigate to the IAM (Identity and Access Management) dashboard.
Click on the “Users” option from the left-hand side menu.
Select the user account for which you want to drop the inactive access keys.
Click on the “Security Credentials” tab.
Under the “Access keys” section, you will see the list of active and inactive access keys associated with the user account.
Identify the inactive access keys that you want to drop.
Click on the “Make Inactive” button next to the access key that you want to drop.
A confirmation message will appear, click on “Yes, Make Inactive” to confirm.
The inactive access key will now be dropped, and you can repeat the same process to drop any other inactive access keys associated with the user account.
By following these steps, you can remediate the issue of inactive user account access keys in AWS using the AWS console.
To remediate this misconfiguration in AWS using AWS CLI, you can follow these steps:
Open the AWS CLI on your local machine.
Run the following command to list all the IAM users in your AWS account:
aws iam list-users
Identify the inactive users from the list. Inactive users are those who have not used their access keys for a long time.
Run the following command to list the access keys for an inactive user:
aws iam list-access-keys --user-name <user-name>
Replace <user-name> with the name of the inactive user.
Identify the inactive access keys from the list. Inactive access keys are those that have not been used for a long time.
Run the following command to delete the inactive access keys:
aws iam delete-access-key --access-key-id <access-key-id> --user-name <user-name>
Replace <access-key-id> with the ID of the inactive access key and <user-name> with the name of the inactive user.
Repeat steps 4-6 for all the inactive users and access keys in your AWS account.
Once you have deleted all the inactive access keys, verify that the misconfiguration has been remediated by running a security audit of your AWS account.
Note: Before deleting any access keys, make sure that they are really inactive and not being used by any application or service. Deleting active access keys can result in service disruption.
Using Python
To remediate the inactive user account access keys issue in AWS, you can use the following Python script:
First, you need to import the necessary modules:
import boto3import datetime
Next, you need to create an AWS IAM client:
client = boto3.client('iam')
Then, you can get a list of all IAM users:
users = client.list_users()['Users']
For each user, you can get a list of their access keys:
for user in users: access_keys = client.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
You can then check the last time each access key was used:
for key in access_keys: last_used = client.get_access_key_last_used(AccessKeyId=key['AccessKeyId']) if 'LastUsedDate' not in last_used['AccessKeyLastUsed']: # Access key has never been used client.delete_access_key(UserName=user['UserName'], AccessKeyId=key['AccessKeyId']) else: last_used_date = last_used['AccessKeyLastUsed']['LastUsedDate'] days_since_last_used = (datetime.datetime.now() - last_used_date.replace(tzinfo=None)).days if days_since_last_used > 90: # Access key has not been used in over 90 days client.delete_access_key(UserName=user['UserName'], AccessKeyId=key['AccessKeyId'])
Finally, you can delete any access keys that have not been used in over 90 days or that have never been used.
