AWS IAM users that are inactive should be deleted
An AWS IAM (Identity and Access Management) user is intended for use by an individual rather than a system. Because human users can vary in their activity levels there is often a disconnect between the IAM User entity and the actual users - users can permanently leave an organisation, changed responsibilities, or simply not engaged with the AWS account for an extended period.
As it is not immediately apparent whether a user still needs access to an account, an Inactive User Policy should clarify to users and provide an automated framework for minimising access to accounts. This framework should detect user activity against Access Keys and AWS Console logins to automatically deactivate Access Keys and delete IAM Users and Roles as needed.
As a general guideline, we recommend that any IAM user who has not logged into the account and whose access keys have not been used within the past 90 days should be automatically deleted. This approach helps mitigate risks associated with users who should no longer have access to an AWS Account but still possess valid credentials. We believe a 90-day threshold to be a workable starting point, as it strikes a balance between allowing reasonable access periods for users who may be on extended breaks while still mitigating risks related to inactive accounts.
The goal behind this policy is to ensure that users are kept to the minimum level of access to the minimum number of AWS Accounts. This prevents users from accumulating a larger blast radius over time as well as ensuring that user inactivity is detected and cleaned up as activity oscillates across various accounts.
A key part of inactive user detection and remediation is establishing a clear policy regarding the activity threshold that defines when users are considered inactive and subject to deletion. This policy should be communicated clearly so that users understand the implications of losing access and can avoid taking it personally. Additionally, a process should be in place for users to regain access to their accounts if necessary.
It is also essential to provide tools that facilitate the rotation of access keys. Implementing user-friendly self-service options will enable swift onboarding and help reduce risks associated with inactive users. As part of our general Security Posture management for Organisations we provide a pre-packaged suite of tools that enable this alongside all the deployed policies and detection mechanisms included in our SkySiege Cloud Assessments:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
