iam-user-unused-credentials-check
Checks if your Amazon Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. The rule is NON_COMPLIANT if there are inactive accounts not recently used.
Note
Re-evaluation Timeline
Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results.
Managed Rules and Global IAM Resource Types
The global IAM resource types onboarded before February 2022
(AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User)
can only be recorded by Amazon Config in Amazon Regions where Amazon Config was available before February 2022.
These resource types cannot be recorded in Regions supported by Amazon Config after February 2022.
For a list of those Regions,
see Recording Amazon Resources | Global Resources.
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see List of Amazon Config Managed Rules by Region Availability.
Identifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
Resource Types: AWS::IAM::User
Trigger type: Periodic
Amazon Web Services Region: All supported Amazon regions
Parameters:
- maxCredentialUsageAge
- Type: int
- Default: 90
-
Maximum number of days a credential cannot be used. The default value is 90 days.
Amazon CloudFormation template
To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.