What is CIS AWS 1.12?

CIS AWS 1.12 (Disable credentials unused for 45 days) requires: Disable IAM user credentials (password + access keys) unused for 45+ days. This is a high-severity control.

How does EchelonGraph detect CIS AWS 1.12 violations?

EchelonGraph automatically detects CIS AWS 1.12 violations using scanner rule CIS-AWS-1-12. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

How do I remediate CIS AWS 1.12?

AWS IAM credential report quarterly; disable credentials inactive \u003e45 days via aws iam update-login-profile + update-access-key.

What audit questions are asked for CIS AWS 1.12?

Inactive-credential detection cadence? Disable SLA? Credential report retention?

🟠CIS AWS 1.12Rule: CIS-AWS-1-12high

Disable credentials unused for 45 days

Description

Disable IAM user credentials (password + access keys) unused for 45+ days.

⚠️ Risk Impact

Inactive credentials accumulate as users move between roles. Each unused credential is a forgotten attack surface.

🔍 How EchelonGraph Detects This

CIS-AWS-1-12Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

AWS IAM credential report quarterly; disable credentials inactive >45 days via aws iam update-login-profile + update-access-key.

💀 Real-World Attack Scenario

A former contractor's IAM password remained valid 7 months post-engagement-end. The credentials were found via credential-leak database; attacker used them to access dev environment + pivot to production. $1.8M impact.

💰 Cost of Non-Compliance

Inactive-credential breaches: avg $4.45M (IBM 2024).

📋 Audit Questions

1.Inactive-credential detection cadence?
2.Disable SLA?
3.Credential report retention?

🎯 MITRE ATT&CK Mapping

T1078 — Valid Accounts

⚡ Common Pitfalls

⛔Quarterly cadence skipped
⛔Manual disabling — slow
⛔No alerting on inactive-credential creation

📈 Business Value

Automated inactive-credential disabling is critical IAM hygiene.

⏱️ Effort Estimate

Manual

Quarterly review

With EchelonGraph

EchelonGraph monitors credential age continuously

🔗 Cross-Framework References

NIST-AC-2

Automate CIS AWS 1.12 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →