Inactive users remediation

Using Console

Using CLI

To remediate the issue of inactive IAM users in AWS using AWS CLI, follow these step-by-step instructions:

List all IAM users:
- Open the AWS CLI or AWS CloudShell.
- Run the following command to list all IAM users:
  aws iam list-users
Identify inactive users:
- Review the output of the previous command and identify the inactive users based on their LastActivityDate. Users who have not performed any activity for a long time can be considered inactive.
Deactivate inactive users:
- Run the following command for each inactive user identified:
  aws iam update-user --user-name <username> --no-active
  Replace <username> with the actual username of the inactive user.
Verify user deactivation:
- Run the following command to verify that the user has been deactivated:
  aws iam get-user --user-name <username>
  Replace <username> with the actual username of the inactive user.
- Check the output and ensure that the “UserStatus” is set to “Inactive”.
Optional: Remove access keys and MFA devices:
- If necessary, you can also remove access keys and MFA devices associated with the inactive user to further secure your AWS account.
- Run the following command to list the access keys for a user:
  aws iam list-access-keys --user-name <username>
  Replace <username> with the actual username of the inactive user.
- Run the following command to delete an access key:
  aws iam delete-access-key --access-key-id <access-key-id> --user-name <username>
  Replace <access-key-id> with the actual access key ID and <username> with the actual username of the inactive user.
- Run the following command to list the MFA devices for a user:
  aws iam list-mfa-devices --user-name <username>
  Replace <username> with the actual username of the inactive user.
- Run the following command to deactivate an MFA device:
  aws iam deactivate-mfa-device --user-name <username> --serial-number <serial-number>
  Replace <username> with the actual username of the inactive user and <serial-number> with the actual serial number of the MFA device.

By following these steps, you can remediate the issue of inactive IAM users in AWS using AWS CLI.

Using Python

To remediate inactive IAM users in AWS, you can follow these step-by-step instructions using Python:

Install Boto3: Boto3 is the AWS SDK for Python. You can install it using pip by running the following command:
```
pip install boto3
```
Import the necessary libraries: In your Python script, import the required libraries, including boto3 and datetime:
```
import boto3
from datetime import datetime, timedelta
```
Configure AWS credentials: Set up your AWS credentials by either configuring the AWS CLI or using environment variables. This will allow your Python script to authenticate and access your AWS account.

Define a function to check for inactive IAM users: Create a function that will check for inactive IAM users based on a specified number of days of inactivity. For example, if a user has not logged in for 90 days, they will be considered inactive. Here’s an example implementation:

def check_inactive_users(days):
    iam_client = boto3.client('iam')
    now = datetime.now()
    inactive_users = []

    response = iam_client.list_users()

    for user in response['Users']:
        username = user['UserName']
        last_login = iam_client.get_login_profile(UserName=username).get('LoginProfile', {}).get('CreateDate')
        
        if last_login:
            last_login = last_login.replace(tzinfo=None)
            if (now - last_login) > timedelta(days=days):
                inactive_users.append(username)

    return inactive_users

Get a list of inactive IAM users: Call the check_inactive_users function, passing the number of days of inactivity as an argument. This will return a list of inactive IAM users:
```
inactive_users = check_inactive_users(90)
print(f"Inactive IAM Users: {inactive_users}")
```
Disable the inactive IAM users: Iterate over the list of inactive users and disable their access by setting the Status to Inactive using the update_login_profile method:
```
for user in inactive_users:
    iam_client.update_login_profile(UserName=user, PasswordResetRequired=True)
    iam_client.delete_login_profile(UserName=user)
    print(f"Disabled access for user: {user}")
```
Note: Disabling the user’s access ensures that they cannot log in, but it does not delete the user. If you want to delete the user, you can use the delete_user method instead.
Run the script: Save the script with a .py extension and run it using Python. It will identify the inactive IAM users and disable their access.

Make sure to review the script and adjust any parameters or settings according to your specific requirements before running it in your AWS environment.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Inactive users remediation

Triage and Remediation

Remediation