The Ops Community ⚙️

Cover image for How to Find and Remove Unused AWS Passwords
Patrick Londa for Blink Ops

Posted on • Originally published at blinkops.com

How to Find and Remove Unused AWS Passwords

If an AWS user has a password to login to the AWS console, but hasn’t used it in over 6 months, their login credentials might be a security liability to the rest of your account.

By running a check to find unused passwords, you can delete login profiles and reduce your account’s potential attack surface.

In this guide, we’ll show you how to find and delete unused passwords to strengthen the security of your AWS account.

Finding and Deleting Unused AWS Passwords

You can find unused passwords with the AWS Console, the AWS CLI, or the AWS API.

Using the AWS Console:

Here are the steps to find and disable unused passwords:

Step 1. To start, log in to your AWS IAM Console.

Step 2. In the navigation pane, select Credential report.

Step 3. When you click Download Report, you’ll get a CSV file using the naming structure status_reports_T.

Step 4. Filter on the fifth column named password_last_used.

  • If they have N/A, it means they have no password assigned.

  • If they have no_information, it means they haven’t used their password since IAM started tracking passwords (Oct. 20th, 2014).

  • If they have a date that is earlier than a threshold you set (e.g. 90 days), then you can consider their passwords unused and act on them.

Step 5. Go to the navigation pane and select Users.

Step 6. Select the name of a user who has an unused password.

Step 7. Go to the Security credentials tab.

Step 8. Under Sign-in credentials, click Manage next to Console password.

Step 9. Select Disable for Console access, then click apply.

Step 10. Repeat steps 5-9 for all users you identified as having an unused password.

Using the AWS CLI:

If you would prefer to do this using the AWS CLI, here are the steps.

Step 1. You can find unused passwords by running the following command:

aws iam list-users
Enter fullscreen mode Exit fullscreen mode

This will output a list of all users in your AWS account. In the output, you’ll see information about all users, including a PasswordLastUsed value. If the user has no value listed, then they either do not have a password or haven’t used their password since tracking began (Oct. 20, 2014).

Alternatively, you can use the get-user command if there is someone specific you suspect might have an unused password.

Here is the output of running the list-users command:

"Users": [
    {
        "UserName": "Charlie",
        "Path": "/department_abc/group_def/",
        "CreateDate": "2017-06-19T10:01:44Z",
        “PasswordLastUsed”: “2022-10-23T11:01:29Z”,
        "UserId": "AID3YDW8DMLG72PEANUTS",
        "Arn": "arn:aws:iam::123456789012:user/department_abc/group_def/Charlie"
    },
    {
        "UserName": "Lucy",
        "Path": "/department_abc/group_ghi/",
        "CreateDate": "2018-03-09T13:21:33Z",
        “PasswordLastUsed”: “2018-05-21T13:21:51Z”,
        "UserId": "AIDIODN4U1W727PEANUTS",
        "Arn": "arn:aws:iam::123456789012:user/department_abc/group_ghi/Lucy"
    }
]
Enter fullscreen mode Exit fullscreen mode

You can now see that Lucy has not used her password to log in to AWS in multiple years.

Step 2. Next, you can run the following command to delete the password for anyone who, like Lucy, has not used their password in a certain amount of time:

aws iam delete-login-profile 
--user-name Lucy
Enter fullscreen mode Exit fullscreen mode

The result of this command is that you have denied the user the ability to sign in to the AWS Console, which limits your security risk if an old password were to become compromised. They will still have access to the AWS CLI and API, so make sure to also remove their access keys.

Using the AWS API:

You can also use the AWS API to find and delete unused passwords.

Step 1. Use the ListUsers action to get a list of all users in your AWS. You can use the PathPrefix parameter to narrow the list of users.

Here’s an example of that request:

https://iam.amazonaws.com/?Action=ListUsers
&Version=2010-05-08
&AUTHPARAMS
Enter fullscreen mode Exit fullscreen mode

Here’s an example response:

<ListUsersResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
 <ListUsersResult>
    <Users>
       <member>
          <UserId>AID3YDW8DMLG72PEANUTS</UserId>
          <Path>/department_abc/group_def/</Path>
          <UserName>Charlie</UserName>
          <Arn>arn:aws:iam::123456789012:user/department_abc/group_def/Charlie</Arn>
          <CreateDate>2017-06-19T10:01:44Z</CreateDate>
          <PasswordLastUsed>2022-10-23T11:01:29Z</PasswordLastUsed>
       </member>
       <member>
          <UserId>AIDIODN4U1W727PEANUTS</UserId>
          <Path>/department_abc/group_ghi/</Path>
          <UserName>Lucy</UserName>
          <Arn>arn:aws:iam::123456789012:user/department_abc/group_ghi/Lucy</Arn>
          <CreateDate>2018-03-09T13:21:33Z</CreateDate>
          <PasswordLastUsed>2018-05-21T13:21:51Z</PasswordLastUsed>
       </member>
    </Users>
    <IsTruncated>false</IsTruncated>
 </ListUsersResult>
 <ResponseMetadata>
    <RequestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</RequestId>
 </ResponseMetadata>
</ListUsersResponse>
Enter fullscreen mode Exit fullscreen mode

Step 2. Now that you can see which users have passwords that are no longer being used, you can delete their login credentials with the action DeleteLoginProfile.

Since in the example above, Lucy hasn’t used her password to login to AWS since 2018, we can go ahead and delete her login profile.

Here’s an example of that request:

https://iam.amazonaws.com/?Action=DeleteLoginProfile
&UserName=Lucy
&Version=2010-05-08
&AUTHPARAMS
Enter fullscreen mode Exit fullscreen mode

Here’s an example response:

<DeleteLoginProfileResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <ResponseMetadata>
    <RequestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</RequestId>
  </ResponseMetadata>
</DeleteLoginProfileResponse>
Enter fullscreen mode Exit fullscreen mode

Now, you have successfully prevented unused passwords from being used to log in to the AWS Console if they become compromised.

As we mentioned in the other methods, you will still need to separately look to see if the user has unused access keys. You can do that with the ListAccessKeys action.

Finding Unused Passwords Automatically with Blink

You can find unused passwords manually by following the steps above, but that relies on you taking the time to set reminders and manually update each user. It’s time-intensive and requires context-switching.

With Blink, you can easily create an automation that runs on a schedule to find passwords that have not been used in a certain number of days. You can then kick off a Slack notification that makes deleting their login profile as easy as clicking “approve”.

By automating this entire workflow, you can turn a best practice into a built-in workflow.

Create your free Blink account and boost your AWS security posture today.

Top comments (0)