AWS-008 Amazon Web Services (AWS)

Credentials unused for 90+ days are disabled.

Credentials unused for 90+ days are disabled.

Domain
Amazon Web Services (AWS)
Area
IAM
Automated / manual
Automated

Risk if it fails

Dormant credentials are unmonitored attack surface.

Unused accounts (ex-staff, old scripts) are rarely watched. Attackers love them because activity on a forgotten account triggers no alarms.

How Tess tests it

1 test — each concludes only on cited evidence.

Credentials unused for 90+ days are disabled.

Automated
Procedure
Use credential report last-used timestamps; flag passwords/keys idle 90+ days.

Read-only command 

aws iam get-credential-report --query 'Content' --output text | base64 -d | awk -F, '{print $1,$5,$11}'

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-008 against your evidence?

Book a demo