Identifying Unused Credentials in a Credential Report

Where to Find Unused Credentials 
One way to enhance AWS security is by removing unused IAM user credentials. Unused credentials could be from someone terminated from your organization or someone who doesn’t use AWS in their daily job responsibilities. In your AWS policies, you should document the period of time that qualifies as “unused” – we recommend removing credentials that have been unused for 90 days or longer. In this demo, AWS expert Mike Wise will teach you how to see when a user’s password was last used to log in to AWS. 

  1. From the AWS Management Console, navigate to the IAM Dashboard.
  2. To generate the appropriate report, go to the Credential Report section and click Download Report.
  3. Open the CSV file and identify the password_last_used column. If a user’s password has not been used in the last 90 days, then these credentials qualify as “unused” and should be disabled.   

For a visual guide on how to generate a credentials report and identify unused passwords, watch the full demo. To learn more about finding unused credentials in AWS, read here

Transcription 
So, we’ve logged in to our AWS Management Console. Next, we’re going to have to search for “IAM.” This will take us to the Identity and Access Management screen and then we’re going to generate a credentials report. So, we’re going to go over to the “Credential Report” and hit “Download Report.” This will download a CSV file. Let’s go ahead and take a look at one. So, if we look at this file that was downloaded, it has a couple good pieces of information, but in this case, the primary one we’re going to be looking at is the “password_last_used.” As we can see here, we have two users. We have the “<root_account>” user and the “IAMPolicyDemo” user. We don’t use the “<root_account>” user unless it’s an emergency situation or something that requires the use of a root account, but we’re going to be looking at the “IAMPolicyDemo” user. We can see it was last logged in to on February 7, 2020. That means this user is being regularly accessed and should remain enabled. Now, if this had been a user that did not have a recent access, so let’s say the “IAMPolicyDemo” user hadn’t logged in since 2019 in January, this would be a candidate for disabling that user because it had exceeded the 90-day threshold that we had set earlier for this control.

Related Videos