Automatically Disable Unused IAM Credentials
Published 17 Sep 2021
Stax is improving the way it helps you to manage unused IAM credentials in line with the CIS AWS Foundations Benchmark item 1.3 – Ensure credentials unused for 90 days or greater are disabled in your Stax-managed AWS accounts. A managed AWS Config Conformance Pack will be deployed into these accounts. This replaces the existing AWS Lambda function previously performing this task.
This Conformance Pack evaluates all IAM users' passwords and active IAM access keys. If a credential has been inactive for greater than 90 days, the remediation action will revoke those credentials. Specifically, the IAM user's password will be deleted, and active access keys will be disabled.
Previously, a bug existed in the AWS Lambda function performing this task which meant credentials that had never been used would not be deleted/disabled.
The Conformance Pack comprises the following AWS-managed Config Rule and associated remediation configuration:
Config Rule Identifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
Checks if your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided
Remediation Configuration: AWSConfigRemediation-RevokeUnusedIAMUserCredentials
The AWSConfigRemediation-RevokeUnusedIAMUserCredentials runbook revokes unused AWS Identity and Access Management (IAM) passwords and active access keys. This runbook also deactivates expired access keys, and deletes expired login profiles. AWS Config must be enabled in the AWS Region where you run this automation
The Conformance Pack will be located in each Stax-managed AWS account, within the AWS Region of your Stax Installation. It will replace the existing AWS Lambda function, entitled
stax-DisableUnusedCredentials, which will be deleted.
These changes will be implemented for Stax-managed AWS Organizations during the week beginning 20 September 2021. If you have any questions or concerns in advance of this, please contact your Customer Success Manager or raise a support case.
Back to changelog