Disable inactive access keys
Description
Disable IAM access keys unused for 45+ days.
⚠️ Risk Impact
Inactive keys are forgotten attack surface. Adversaries find them via leaked credentials + use them invisibly.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
AWS IAM credential report quarterly; disable keys inactive >45 days. Automate via aws iam update-access-key --status Inactive.
💀 Real-World Attack Scenario
An ex-employee's IAM access key (still active 90 days post-termination) was discovered via leaked credential database. Attackers used it for 18 months of low-and-slow cryptomining; total: $340K.
💰 Cost of Non-Compliance
Inactive-key compromise: avg $100K-$500K (varies by access level).
📋 Audit Questions
- 1.Inactive-key detection cadence?
- 2.Disable SLA?
- 3.Last credential report?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Manual quarterly review skipped
- ⛔Service account 'inactive' but actually load-bearing
- ⛔No automation
📈 Business Value
Automated inactive-key disabling closes a high-frequency attack vector.
⏱️ Effort Estimate
Quarterly review
EchelonGraph monitors key age + last-used continuously
🔗 Cross-Framework References
Automate CIS AWS 1.11 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →