Disabling Unused Credentials
Removing Unused Credentials After 90 Days
One way to enhance AWS security and reduce exposure to risk is by removing unused IAM user credentials. Unused credentials could be from someone terminated from your organization or someone who doesn’t use AWS in their daily job responsibilities. In your AWS policies, you should document the period of time that qualifies as “unused.” Recommendation 1.3 of the CIS AWS Foundations Benchmark stipulates that credentials that have been unused in 90 or greater days should be removed or deactivated.
For more information, visit the AWS documentation for finding unused credentials.
Ensuring accounts that are over 90 days old are disabled is an important part of the AWS security footprint. By implementing this control, you’re reducing the exposure to potentially compromised credentials. You can check on the last login dates via an AWS credentials report. There are two methods to generate this report. You can use either the AWS CLI with the AWS Credentials Report command or you can log into your AWS Management Console, the IAM Dashboard, and then generate a credentials report. Using this report, you can see the last login dates and ensure any accounts that have not been logged into within the last 90 days are disabled.