Automatically Disable Unused IAM Credentials

Published 17 Sep 2021


Stax is improving the way it helps you to manage unused IAM credentials in line with the CIS AWS Foundations Benchmark item 1.3 – Ensure credentials unused for 90 days or greater are disabled in your Stax-managed AWS accounts. A managed AWS Config Conformance Pack will be deployed into these accounts. This replaces the existing AWS Lambda function previously performing this task.

This Conformance Pack evaluates all IAM users' passwords and active IAM access keys. If a credential has been inactive for greater than 90 days, the remediation action will revoke those credentials. Specifically, the IAM user's password will be deleted, and active access keys will be disabled.

Previously, a bug existed in the AWS Lambda function performing this task which meant credentials that had never been used would not be deleted/disabled.

The Conformance Pack comprises the following AWS-managed Config Rule and associated remediation configuration:

  • Config Rule Identifier: IAM_USER_UNUSED_CREDENTIALS_CHECK

    Checks if your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided

  • Remediation Configuration: AWSConfigRemediation-RevokeUnusedIAMUserCredentials

    The AWSConfigRemediation-RevokeUnusedIAMUserCredentials runbook revokes unused AWS Identity and Access Management (IAM) passwords and active access keys. This runbook also deactivates expired access keys, and deletes expired login profiles. AWS Config must be enabled in the AWS Region where you run this automation

The Conformance Pack will be located in each Stax-managed AWS account, within the AWS Region of your Stax Installation. It will replace the existing AWS Lambda function, entitled stax-DisableUnusedCredentials, which will be deleted.

Once the Conformance Pack is deployed into an AWS account, it will trigger an evaluation of all IAM users in that account. Any non-compliant IAM users will be remediated immediately. This means that any unused passwords or access keys that have not been used for more than 90 days since creation will be deactivated immediately.

These changes will be implemented for Stax-managed AWS Organizations during the week beginning 20 September 2021. If you have any questions or concerns in advance of this, please contact your Customer Success Manager or raise a support case.

See also


Back to changelog