Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · IAM

IAM.22: IAM credentials unused for 45 days should be removed

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub IAM.22 check?

IAM.22 fails when an IAM user has a password or access key that has been unused for 45 days or more — the CIS-aligned threshold that sits one step stricter than the 90-day IAM.8 control.

Why does IAM.22 matter?

Incident data shows most credential-leak compromises exploit keys dormant for one to three months, so a credential idle at 45 days is statistically just as abandoned as one idle at 90. Acting at the tighter threshold roughly halves the window an unnoticed, exposed credential stays useful to an attacker.

How do I fix IAM.22?

  1. Pull the credential report and identify passwords and access keys idle for 45+ days.
  2. Deactivate each stale key and watch CloudTrail for a short observation window to confirm nothing depends on it.
  3. Delete the deactivated keys and remove unused console passwords.
  4. Set the AWS Config rule's maxCredentialUsageAge to 45 so the finding stays closed.

Remediation script · bash

# Find active credentials idle past 45 days and disable them (review before deleting).
CUTOFF=$(date -u -d '45 days ago' +%Y-%m-%d)
aws iam generate-credential-report >/dev/null
aws iam get-credential-report --query Content --output text | base64 -d \
  | awk -F, -v c="$CUTOFF" 'NR>1 && $9=="true" && $11<c {print $1, $10}'
aws iam update-access-key --user-name old-contractor \
  --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

# Apply the CIS-aligned IAM password policy in one idempotent call.
aws iam update-account-password-policy --minimum-password-length 14 \
  --require-uppercase-characters --require-lowercase-characters \
  --require-numbers --require-symbols --password-reuse-prevention 24

# A clear-text key in a build project is compromised: rotate and delete, never just relocate.
aws iam delete-access-key --user-name ci-deploy --access-key-id AKIAIOSFODNN7EXAMPLE

Full walkthrough (console steps, edge cases and verification) in the lesson Rotate and remove stale IAM credentials.

Full lesson Rotate and remove stale IAM credentials Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for IAM controls ↗ Check your own account for IAM.22 →
Part of the learning path Lock down access

More IAM controls

  • IAM.1 A policy grants full "*" administrative privileges
  • IAM.2 Policies attached directly to users do not scale or audit cleanly
  • IAM.3 Long-lived access keys have not been rotated
  • IAM.4 The root user still has long-lived access keys
  • IAM.5 Console users without MFA are one phish from compromise
  • IAM.6 The root user is not protected by hardware MFA
  • IAM.7 The IAM password policy is too weak
  • IAM.8 Unused IAM keys and passwords are waiting to be leaked
  • IAM.9 The root user can sign in without MFA
  • IAM.10 IAM user password policies should be strong (PCI DSS)
  • IAM.19 MFA should be enabled for all IAM users
  • IAM.21 Wildcard permissions grant far more access than intended