standard
turbot/aws_compliance

Trigger: Detect & correct IAM users with unused login profile from 45 days or more

Detects IAM users login profile that have been unused for 45 days or more and delete them.

Query

select
concat(u.name, ' [', u.account_id, ']') as title,
u.name as user_name,
coalesce(r.password_last_used :: text, 'Never Used') as password_last_used,
r.password_last_changed,
coalesce(
(
(
extract(
day
from
now() - r.password_last_used
)
) :: text
),
'Never Used'
) as password_last_used_in_days,
(
extract(
day
from
now() - r.password_last_changed
)
) :: text as password_last_changed_in_days,
u.account_id,
u.sp_connection_name as conn
from
aws_iam_user as u
left join aws_iam_credential_report as r on r.user_name = u.name
and u.account_id = r.account_id
where
(
r.password_enabled
and r.password_last_used is null
and r.password_last_changed < (current_date - interval '45' day)
or r.password_enabled
and r.password_last_used < (current_date - interval '45' day)
);

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/IAM