AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
User Console Access Inactive
More Info:
Users who are infrequent or do not need access to console, their account access should be cleared off.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
How to Prevent
To prevent User Console Access Inactive in IAM using the AWS Management Console, follow these steps:
-
Enable Multi-Factor Authentication (MFA):
- Navigate to the IAM dashboard.
- Select “Users” from the left-hand menu.
- Click on the username of the user you want to enable MFA for.
- Under the “Security credentials” tab, click on “Manage” next to “Assigned MFA device.”
- Follow the prompts to assign an MFA device to the user.
-
Set Up Password Policies:
- Go to the IAM dashboard.
- Click on “Account settings” in the left-hand menu.
- Under “Password policy,” click on “Set password policy.”
- Configure the password policy to enforce strong passwords, password expiration, and password reuse prevention.
-
Regularly Review and Rotate Access Keys:
- In the IAM dashboard, select “Users” from the left-hand menu.
- Click on the username of the user whose access keys you want to review.
- Under the “Security credentials” tab, review the access keys and rotate them regularly.
- Ensure that old access keys are deactivated and deleted.
-
Monitor and Audit User Activity:
- Enable AWS CloudTrail to log all API calls made in your account.
- Go to the CloudTrail dashboard.
- Click on “Trails” in the left-hand menu and ensure a trail is created and enabled.
- Configure CloudTrail to send logs to an S3 bucket and enable log file validation.
- Regularly review CloudTrail logs to monitor user activity and detect any inactive or suspicious behavior.
By following these steps, you can help ensure that user console access remains active and secure, reducing the risk of misconfigurations and unauthorized access.
To prevent User Console Access Inactive in IAM using AWS CLI, you can follow these steps:
-
Create an IAM Policy to Enforce MFA: Ensure that users are required to use Multi-Factor Authentication (MFA) to access the AWS Management Console. This can help in reducing the risk of inactive user accounts being compromised.
aws iam create-policy --policy-name EnforceMFA --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "aws:iam:*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }' -
Attach the Policy to All Users: Attach the newly created policy to all IAM users to enforce MFA.
for user in $(aws iam list-users --query 'Users[*].UserName' --output text); do aws iam attach-user-policy --user-name $user --policy-arn arn:aws:iam::aws:policy/EnforceMFA done -
Set Password Policy: Set a strong password policy to ensure that users have to change their passwords regularly, which can help in identifying inactive users.
aws iam update-account-password-policy --minimum-password-length 12 --require-symbols --require-numbers --require-uppercase-characters --require-lowercase-characters --allow-users-to-change-password --max-password-age 90 --password-reuse-prevention 5 -
Enable CloudTrail Logging: Enable AWS CloudTrail to log all IAM activities. This will help in monitoring user activities and identifying inactive users.
aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-trail-bucket aws cloudtrail start-logging --name MyTrail
By following these steps, you can help prevent user console access from becoming inactive in IAM using AWS CLI.
To prevent User Console Access Inactive in IAM using Python scripts, you can follow these steps:
1. Set Up AWS SDK (Boto3) for AWS:
First, ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip:
pip install boto3
2. Create a Script to Monitor and Deactivate Inactive Users:
Here’s a Python script that checks for inactive IAM users and deactivates their console access if they haven’t logged in for a specified number of days.
import boto3
from datetime import datetime, timedelta
# Initialize a session using Amazon IAM
iam = boto3.client('iam')
# Define the number of days of inactivity
INACTIVITY_DAYS = 90
# Get the current date
current_date = datetime.utcnow()
# List all IAM users
users = iam.list_users()
for user in users['Users']:
user_name = user['UserName']
# Get the user's login profile
try:
login_profile = iam.get_login_profile(UserName=user_name)
last_login = login_profile['LoginProfile']['CreateDate']
# Calculate the number of days since the last login
days_inactive = (current_date - last_login.replace(tzinfo=None)).days
if days_inactive > INACTIVITY_DAYS:
# Deactivate the user's console access
iam.delete_login_profile(UserName=user_name)
print(f"Deactivated console access for user: {user_name} due to {days_inactive} days of inactivity.")
except iam.exceptions.NoSuchEntityException:
# The user does not have a login profile (console access)
continue
3. Set Up Azure SDK (Azure Identity and Management) for Azure:
First, ensure you have the Azure SDK for Python installed. You can install it using pip:
pip install azure-identity azure-mgmt-authorization
4. Create a Script to Monitor and Deactivate Inactive Users:
Here’s a Python script that checks for inactive Azure AD users and deactivates their console access if they haven’t logged in for a specified number of days.
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
from datetime import datetime, timedelta
# Initialize the Azure credentials and client
credential = DefaultAzureCredential()
client = AuthorizationManagementClient(credential, '<subscription_id>')
# Define the number of days of inactivity
INACTIVITY_DAYS = 90
# Get the current date
current_date = datetime.utcnow()
# List all users
users = client.users.list()
for user in users:
user_name = user.user_principal_name
last_login = user.sign_in_activity.last_sign_in_date_time
if last_login:
# Calculate the number of days since the last login
days_inactive = (current_date - last_login.replace(tzinfo=None)).days
if days_inactive > INACTIVITY_DAYS:
# Deactivate the user's console access
client.users.update(user.object_id, {'accountEnabled': False})
print(f"Deactivated console access for user: {user_name} due to {days_inactive} days of inactivity.")
5. Set Up Google Cloud SDK (Google API Client) for GCP:
First, ensure you have the Google Cloud SDK for Python installed. You can install it using pip:
pip install google-api-python-client google-auth
6. Create a Script to Monitor and Deactivate Inactive Users:
Here’s a Python script that checks for inactive GCP IAM users and deactivates their console access if they haven’t logged in for a specified number of days.
from google.oauth2 import service_account
from googleapiclient.discovery import build
from datetime import datetime, timedelta
# Initialize the Google Cloud credentials and service
credentials = service_account.Credentials.from_service_account_file('path/to/your/service-account-file.json')
service = build('admin', 'directory_v1', credentials=credentials)
# Define the number of days of inactivity
INACTIVITY_DAYS = 90
# Get the current date
current_date = datetime.utcnow()
# List all users
results = service.users().list(customer='my_customer', orderBy='email').execute()
users = results.get('users', [])
for user in users:
user_name = user['primaryEmail']
last_login = user.get('lastLoginTime')
if last_login:
last_login_date = datetime.strptime(last_login, '%Y-%m-%dT%H:%M:%S.%fZ')
# Calculate the number of days since the last login
days_inactive = (current_date - last_login_date).days
if days_inactive > INACTIVITY_DAYS:
# Deactivate the user's console access
user['suspended'] = True
service.users().update(userKey=user_name, body=user).execute()
print(f"Deactivated console access for user: {user_name} due to {days_inactive} days of inactivity.")
These scripts will help you monitor and deactivate inactive user console access across AWS, Azure, and GCP. Make sure to replace placeholders like <subscription_id> and 'path/to/your/service-account-file.json' with your actual values.