| Plugin Title | Users Password Last Used |
| Cloud | AWS |
| Category | IAM |
| Description | Detects users with password logins that have not been used for a period of time and that should be decommissioned |
| More Info | Having numerous, unused user accounts extends the attack surface. If users do not log into their accounts for more than the defined period of time, the account should either be deleted or have console login disabled. |
| AWS Link | http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html |
| Recommended Action | Delete old user accounts that allow password-based logins and have not been used recently. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for IAM.
- Scroll down the left navigation panel and choose "Credential report". Click on the "Download Report" button to download a report that lists all your account's users and the status of their various credentials.
- Open the downloaded credentials report and check the "password_last_used_date" column for each IAM account. If the timestamp value for "password_last_used_date" is recorded within the last 7 days, the above credentials have been used to access the AWS account. If however, the timestamp value is older than 90 days, then the account should be deleted or disabled.
- Scroll down the left navigation panel and choose "Users".
- Select the "User" that needs to be verified and click on the "User name" to access the selected IAM User.
- Click on the "Security Credentials" tab under the configuration page.
- Under the "Security Credentials" tab check the "Console password" section for status "Enabled/Disabled". If the status is "Enabled" then the console sign in is enabled and needs to be disabled.
- Click on "Manage" to open "Manage console acess" pop up.
- Select "Disable" for the Console access and click on "Apply" button.
- Repeat step number 2 - 11 to verify for other IAM users.
