More Info:

Checks inactivity of any user on a service. Those priviledges should be removed for better security posture.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWS

Triage and Remediation

How to Prevent

To prevent User Account Service Inactivity in IAM using the AWS Management Console, follow these steps:

  1. Enable IAM Access Analyzer:

    • Navigate to the IAM dashboard in the AWS Management Console.
    • In the left-hand navigation pane, select “Access Analyzer.”
    • Click on “Create analyzer” and follow the prompts to enable IAM Access Analyzer. This tool helps you identify inactive IAM users and roles.
  2. Set Up Password Policy:

    • In the IAM dashboard, select “Account settings” from the left-hand navigation pane.
    • Under “Password policy,” configure settings such as password expiration and password reuse prevention. This ensures that users must periodically update their passwords, reducing the risk of inactive accounts.
  3. Enable CloudTrail Logging:

    • Go to the CloudTrail dashboard in the AWS Management Console.
    • Click on “Create trail” and follow the prompts to enable logging for all regions.
    • Ensure that CloudTrail is configured to log IAM actions. This helps you monitor user activity and identify inactive accounts.
  4. Set Up Automated Notifications:

    • Navigate to the CloudWatch dashboard in the AWS Management Console.
    • Create a new rule to monitor IAM user activity.
    • Set up an alarm to trigger an SNS (Simple Notification Service) notification if a user account has been inactive for a specified period. This allows you to take proactive measures to address inactivity.

By following these steps, you can effectively monitor and manage user account activity in AWS IAM, reducing the risk of inactive accounts.

Additional Reading: