AWS IAM

Extra Users

This plugin detects users who do not use a password login for a long time and who should be disconnected

Risk Level: High

Description: 

This plugin detects users who do not use a password login for a long time and who should be disconnected. The attack surface is extended with multiple unused user accounts. If users do not log in more than the specified time period, they should cancel the account.

This plugin deletes old user accounts that allow password-based logins and has not been used recently.

Note:

AWS updates the Credential Report every 4 hours, it'll get updated soon please check back later. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

Configuration Parameters

Users' Password Last Used Window Threshold: The organization can define the maximum number of days the users with password logins can remain unused depending on their service needs. Once the set time period is attained, an issue is generated. By default, the value of the Users Password Last Used Window Threshold is 90 days.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

The removal of additional IAM users may minimize the risk of illegal access to your AWS resources and enhance the user-based management of access to the AWS management console.

Steps to reproduce :

  1. Sign-in to AWS management console.
  2. Navigate to the “IAM” dashboard.
    https://console.aws.amazon.com/iamv2/ 
  3. Click on Users in the left navigation panel. Next, select the users that you want to examine.
  4. Then move to the Security Credentials sections.
  5. Under the Access Keys, sections check for the access key assigned to the user. In case one or more access keys are attached to the user that suggests the user is used for AWS API access and the audit process for the selected user stops here, otherwise, continue with the next step.
  6. Inside the Sign-In Credentials section, check the Last Used attribute value to determine the user password’s last used date. If the current value is set to Never that suggests that the selected IAM user has never been logged in, therefore was not unused, and can be safely removed.
  7. Repeat the steps for each IAM user present in your AWS account.

Steps for remediation :

  1. Sign-in to AWS management console.
  2. Navigate to the “IAM” dashboard.
    https://console.aws.amazon.com/iamv2/ 
  3. Click on Users in the left navigation panel. Next, select the users that you want to delete.
  4. Click on the Actions dropdown and select Delete User. Click Yes to confirm the deletion operation and the user will be deleted.
  5. Repeat the steps for other extra users.

 

References: