AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Inactive IAM Users
More Info:
List of IAM Users which have not been active recently.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP
Triage and Remediation
Remediation
To remediate inactive IAM users in AWS using the AWS Management Console, follow these steps:
- Sign in to the AWS Management Console using your AWS account credentials.
- Open the IAM console by searching for “IAM” in the AWS services search bar and selecting “IAM” from the results.
- In the left navigation pane, click on “Users” to view the list of IAM users in your account.
- Identify the inactive users by looking at the “Last activity” column. Users who have not performed any activity for an extended period are considered inactive.
- Select the checkbox next to the inactive user(s) that you want to remediate.
- Click on the “Security credentials” tab at the bottom of the user details section.
- Under “Access keys,” check if the user has any access keys. If there are any access keys, they should be deleted.
- To delete an access key, click on the “Delete” button next to the access key.
- If the user requires access keys, generate new ones after deleting the old keys.
- Under “Console password,” check if the user has a password set. If a password is set, it should be reset.
- To reset the password, click on the “Manage” button next to the console password.
- Follow the on-screen instructions to set a new password for the user.
- Under “Permissions,” review the user’s assigned policies and group memberships.
- Remove the user from any unnecessary groups or policies.
- If the user requires specific permissions, ensure they are assigned the appropriate policies.
- Click on the “Tags” tab to review any assigned tags. Remove any unnecessary tags.
- Once you have reviewed and made the necessary changes for the inactive user(s), click on the “Close” button to save the changes.
By following these steps, you can remediate inactive IAM users in AWS using the AWS Management Console.
To remediate the issue of inactive IAM users in AWS using AWS CLI, follow these step-by-step instructions:
-
List all IAM users:
- Open the AWS CLI or AWS CloudShell.
- Run the following command to list all IAM users:
aws iam list-users
-
Identify inactive users:
- Review the output of the previous command and identify the inactive users based on their LastActivityDate. Users who have not performed any activity for a long time can be considered inactive.
-
Deactivate inactive users:
- Run the following command for each inactive user identified:
Replace
aws iam update-user --user-name <username> --no-active<username>with the actual username of the inactive user.
- Run the following command for each inactive user identified:
-
Verify user deactivation:
- Run the following command to verify that the user has been deactivated:
Replace
aws iam get-user --user-name <username><username>with the actual username of the inactive user. - Check the output and ensure that the “UserStatus” is set to “Inactive”.
- Run the following command to verify that the user has been deactivated:
-
Optional: Remove access keys and MFA devices:
- If necessary, you can also remove access keys and MFA devices associated with the inactive user to further secure your AWS account.
- Run the following command to list the access keys for a user:
Replace
aws iam list-access-keys --user-name <username><username>with the actual username of the inactive user. - Run the following command to delete an access key:
Replace
aws iam delete-access-key --access-key-id <access-key-id> --user-name <username><access-key-id>with the actual access key ID and<username>with the actual username of the inactive user. - Run the following command to list the MFA devices for a user:
Replace
aws iam list-mfa-devices --user-name <username><username>with the actual username of the inactive user. - Run the following command to deactivate an MFA device:
Replace
aws iam deactivate-mfa-device --user-name <username> --serial-number <serial-number><username>with the actual username of the inactive user and<serial-number>with the actual serial number of the MFA device.
By following these steps, you can remediate the issue of inactive IAM users in AWS using AWS CLI.
To remediate inactive IAM users in AWS, you can follow these step-by-step instructions using Python:
-
Install Boto3: Boto3 is the AWS SDK for Python. You can install it using pip by running the following command:
pip install boto3 -
Import the necessary libraries: In your Python script, import the required libraries, including
boto3anddatetime:import boto3 from datetime import datetime, timedelta -
Configure AWS credentials: Set up your AWS credentials by either configuring the AWS CLI or using environment variables. This will allow your Python script to authenticate and access your AWS account.
-
Define a function to check for inactive IAM users: Create a function that will check for inactive IAM users based on a specified number of days of inactivity. For example, if a user has not logged in for 90 days, they will be considered inactive. Here’s an example implementation:
def check_inactive_users(days): iam_client = boto3.client('iam') now = datetime.now() inactive_users = [] response = iam_client.list_users() for user in response['Users']: username = user['UserName'] last_login = iam_client.get_login_profile(UserName=username).get('LoginProfile', {}).get('CreateDate') if last_login: last_login = last_login.replace(tzinfo=None) if (now - last_login) > timedelta(days=days): inactive_users.append(username) return inactive_users -
Get a list of inactive IAM users: Call the
check_inactive_usersfunction, passing the number of days of inactivity as an argument. This will return a list of inactive IAM users:inactive_users = check_inactive_users(90) print(f"Inactive IAM Users: {inactive_users}") -
Disable the inactive IAM users: Iterate over the list of inactive users and disable their access by setting the
StatustoInactiveusing theupdate_login_profilemethod:for user in inactive_users: iam_client.update_login_profile(UserName=user, PasswordResetRequired=True) iam_client.delete_login_profile(UserName=user) print(f"Disabled access for user: {user}")Note: Disabling the user’s access ensures that they cannot log in, but it does not delete the user. If you want to delete the user, you can use the
delete_usermethod instead. -
Run the script: Save the script with a
.pyextension and run it using Python. It will identify the inactive IAM users and disable their access.
Make sure to review the script and adjust any parameters or settings according to your specific requirements before running it in your AWS environment.