Unused IAM User
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresIdentify and remove any unused AWS IAM users, which are not designed for API access, as an extra security measure for protecting your AWS resources against unapproved access.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Removing unused IAM users can reduce the risk of unauthorized access to your AWS resources and help you manage the user-based access to the AWS Management Console more efficiently.
To identify any IAM users that have never been logged in, currently available in your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel, choose Users.
04 Click on the IAM user name that you want to examine.
05 On the IAM user configuration page, select Security Credentials tab.
06 In the Access Keys section, check for any IAM access keys assigned to the selected user. If one or more access key pairs are currently attached, e.g.
the user is used for AWS API access and the audit process for the selected user stops here, otherwise, continue with the next step.
07 Inside the Sign-In Credentials section, check the Last Used attribute value to determine the user password last used date. If the current value is set to Never:
the selected IAM user has never been logged in, therefore was not unused and can be safely removed.
08 Repeat steps no. 4 – 7 for each IAM user available in your AWS account.
01 Run list-users command (OSX/Linux/UNIX) to list all IAM users currently available within your account:
aws iam list-users
02 The command output should return the necessary metadata for each IAM user available. The IAM user(s) that have never been logged in using a password should not return the PasswordLastUsed attribute:
{
"Users": [
{
"UserName": "Dave",
"Path": "/",
"CreateDate": "2015-05-21T14:01:39Z",
"UserId": "AAAABBBBCCCCDDDDEEEE",
"Arn": "arn:aws:iam::123456789012:user/Dave"
},
...
{
"UserName": "John",
"CreateDate": "2016-06-15T12:10:55Z",
"UserId": "AAAABBBBCCCCDDDDEEEE",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:user/John"
}
]
}
03 Run list-access-keys command (OSX/Linux/UNIX) using an IAM user name (user without a value set for PasswordLastUsed attribute) returned at the previous step to determine if the selected user has any access keys assigned:
aws iam list-access-keys --user-name Dave
04 The command output should expose the metadata for each access key created for the selected IAM user (if any):
{
"AccessKeyMetadata": []
}
05 Repeat steps no. 3 and 4 for any IAM users that are not returning the PasswordLastUsed attribute.
To remove any unused IAM users from your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel, choose Users.
04 Select the IAM user that you want to remove (see Audit to identify the necessary IAM user(s)),
05 Click on the User Actions dropdown button from the dashboard top menu and select Delete User.
06 In the Delete User dialog box, review the user data and click Yes, Delete to confirm the action.
07 Repeat steps no. 4 – 6 to remove any other unused IAM users available in your AWS account.
01
Run delete-user command (OSX/Linux/UNIX) to remove a specified IAM user. See the Audit section part II (AWS CLI) to identify any unused IAM users. The following command example deletes an IAM user named Dave (if successful, the command does not produce an output):
aws iam delete-user --user-name Dave
02 Repeat step no. 1 for each unused IAM user available in your AWS account.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat