Toggle Side Panel

Close search

AWS IAM Credentials Report [Cheat Sheet]

christophe
Christophe December 19, 2024
0 Comments
Cheat sheet for IAM Credentials Report

I recently came across this neat cheat sheet by Steampipe for AWS IAM Credential Reports, which is a simple but mighty feature you may not be using (but probably should be).

IAM Credentials Report cheat sheet

However, this guide came out a couple of years ago, and so today I would make a few changes to it. Let’s take a look at what those changes are.

1. “Ensure no root usage since last check, MFA is enabled, and no access keys exit.”

Yes to these recommendations, except for a minor change. AWS recently launched centralized root management, which removes the need for a root user with credentials in member accounts, and therefore removes the need for MFA in those accounts.

So for this recommendation, we could change it to something like “Ensure no root user or usage since last check, that central root management is enabled, and that all long-term credentials have been deleted.”

2. “Users should have access keys or passwords, not both”

I would change this to “Users should be transitioned to Identity Center and deleted entirely (apart from a BreakGlass user). During the transition, ideally users should have neither a password nor an access key.”

3. “Delete user accounts that have never been used”

No change here. This is an easy win you can do right now in just a few minutes.

4. “Passwords should be changed based on company policy”

Yes and ideally passwords live outside of AWS in your IdP except for break-glass users (in case of outage).

5. “Enable MFA for all users”

Enable MFA for any break-glass users and while you transition to Identity Center.

6. “Rotate old access keys”

Better yet, get rid of them entirely. If they’re still being used which you can tell from this report, figure out why and transition to IAM roles (or IAM Roles Anywhere if external to AWS). You can also deactivate instead of deleting to help transition.

7. “Delete unused access keys”

100%. No change. This is an easy win you can do today in just a few minutes.

Create an IAM Credentials Report in our Hands-On Lab

If you’d like to try out this feature in a real AWS environment, check out our free IAM Credential Report Hands-On Lab.

IAM Generate Credentials Report Hands-On Lab with access to console, CLI, and CloudShell
Launch free lab >
Categories: Beginner, Blue Team, Cloud Security
Tags: , , , , ,
christophe
Christophe

Related Articles

Responses

Your email address will not be published. Required fields are marked *


Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts

Please allow a few minutes for this process to complete.

Report

You have already reported this .