standard
turbot/aws_compliance

Trigger: Detect & correct IAM root users last used in 90 days or more

Detect IAM root users last used in 90 days or more.

Query

select
concat(user_name, ' [', account_id, ']') as title,
account_id,
sp_connection_name as conn,
case
when password_last_used is not null then concat('used on ', password_last_used :: text)
else 'never used'
end as password_last_used,
case
when access_key_1_last_used_date is not null then concat('used on ', access_key_1_last_used_date :: text)
else 'never used'
end as access_key_1_last_used_date,
case
when access_key_2_last_used_date is not null then concat('used on ', access_key_2_last_used_date :: text)
else 'never used'
end as access_key_2_last_used_date
from
aws_iam_credential_report
where
user_name = '<root_account>'
and (
password_last_used >= (current_date - interval '90' day)
or access_key_1_last_used_date <= (current_date - interval '90' day)
or access_key_2_last_used_date <= (current_date - interval '90' day)
);

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/IAM