Problem description
Unauthorized access to internal IT environments doesn’t meet company security standards. Terminating access for inactive users is aimed to reduce the risk of uncontrolled access to your resources and help establish and control the process of access management to internal and production environments.
Disabling access procedure is necessary in case, for instance, when users leave the organization or IT environments are not required anymore. Team leads need to be sure that the former users no longer have access.
Our recommendations enable your engineering team to increase the security of AWS accounts by identifying inactive users and removing IAM user credentials. In our article we recommend to terminate IAM user accounts that are not active for 90 days or more, however, you can adjust a specified period of time based on your requirements.
Recommendations
Step 1
List all users who are created more than 90 days ago and last login into AWS console was more than 90 days ago, or wasn’t used it at all.
AWS cli command:
aws iam list-users --query 'Users[?(CreateDate <= `2021-12-26` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output textMore info could be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html
Step 2
For every user in this list we should check all access keys.
AWS cli command:
aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output textMore info could be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-access-keys.html
Step 3
For every access key we should check LastUsedDate. In case all access keys were used last time more than 90 days ago, such users could be marked as targets.
AWS cli command:
aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2021-12-26`' --output textMore info could be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-access-key-last-used.html
Note 1
In commands we used date 2021-12-26 its relative date equal (now – 90 days). You should use your own relative date.
Note 2
AWS cli has a pagination mechanism for large amounts of data in output. If you have many users in an account, the provided script will process only the first page. Consider using something more powerful than AWS cli.
As a result one line command:
for user in $(aws iam list-users --query 'Users[?(CreateDate <= `2021-12-26` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output text); do for access_key in $(aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output text); do if [[ "$(aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2021-12-26`' --output text)" == True ]]; then continue 2; fi; done; echo "$user"; doneAs a result this command will provide a list of user names.
Free cloud cost optimization. Lifetime
👆🏻 Storing objects in AWS S3 public buckets could threaten the security of your company data.
💡 Discover the recommendations, which help you manage public access to AWS S3 resources properly and ensure that all required buckets and objects have their public access blocked → https://hystax.com/the-quickest-way-to-get-a-list-of-public-buckets-in-aws-to-enhance-your-security
