Skip to content

User accounts with administrative privileges unused for 90 days are not removed

Description

IAM users and roles in your AWS accounts act as open attack surfaces into the account, and should be kept only when in use to reduce the risk that an entity will be used accidentally to allow unauthorized users to access AWS resources.

Unused AWS Admins are flagged as a critical finding if they meet one of the following criteria:

  • The AWS managed policy arn:aws:iam::aws:policy/AdministratorAccess attached
  • A policy with the action "*" on all resources
  • A policy with the action "iam:*" on all resources.

We recommend you remove any IAM entities with admin privileges and unused in the last 90 days to prevent future admins from attaching them to unauthorized users.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console and select Users.
  3. Find the user(s) to delete and select the checkbox next to each one. (You may wish to confirm the "last activity" date before deleting the user.)
  4. Click Delete User.

CLI Command

To remove a specified IAM user identified as an unused Admin, use the following command:

aws iam delete-user --user-name <value>