Compliance

Rotate and remove stale IAM credentials

One capability across IAM users, CodeBuild projects and Cognito pools: keep credentials short-lived, remove the ones nobody uses, enforce a strong password policy, and never leave a static key sitting in clear text.

15 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: CodeBuild.1 CodeBuild.2 Cognito.3 IAM.7 IAM.8 IAM.10 IAM.22

Credential hygiene: the basics

What does "stale or exposed credential" actually mean across AWS?

A credential is anything that proves an identity: an IAM user's console password or access key, a long-lived key baked into a build pipeline, the password rules that govern human logins. These are static secrets. They do not expire on their own, they do not rotate on their own, and they keep working until somebody explicitly deactivates, deletes or rotates them. Credential hygiene is the capability of keeping that pool of static secrets small, fresh and out of clear text.

AWS Security Hub turns each failure mode into its own control. IAM.8 flags credentials unused for 90 days or more; IAM.22 is the stricter, CIS-aligned 45-day version of the same. IAM.7 and IAM.10 check that the account-wide IAM password policy meets a strong baseline (length, complexity, reuse history). Cognito.3 checks that customer-facing user pools enforce a strong password policy. CodeBuild.1 and CodeBuild.2 catch credentials embedded in build projects, a Bitbucket token in a source URL or a plain-text AWS_ACCESS_KEY_ID in the environment.

They look like separate problems on the report, but they are one capability: a credential that is stale, weak or sitting in clear text is free attack surface with no business benefit. The job is to find every dormant credential, every weak policy, and every embedded secret, then rotate, remove or relocate them, and finally make short-lived credentials the default so the problem stops re-accumulating.

In this lesson you will learn how AWS expresses credential hygiene across dormant IAM credentials, password policy, and secrets embedded in build pipelines, how to find every stale or exposed credential in an account, and how to rotate, remove or relocate them without breaking a workload you had forgotten about. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The contractor who left in 2019

In a well-known incident, an attacker found an AWS access key in a public commit from years earlier, pushed by a contractor who had since left the company. The key was still active and held broad S3 read permissions. The attacker exfiltrated over a terabyte of customer data before anomaly detection caught the unfamiliar address, and the remediation, investigation, disclosure, fines and credit monitoring, ran into seven figures. The cost of running delete-access-key at the time would have been zero. The same pattern repeats with embedded keys: researchers who plant canary keys in public repositories measure the time from commit to first malicious API call in single-digit minutes.

Finding stale and exposed credentials across an estate

Priya inherited the IAM hygiene backlog at a fintech. Security Hub shows a mix of credential failures: dozens of IAM.8 and IAM.22 findings for dormant keys, a failing password policy, and a Critical CodeBuild.2 finding flagging a plain-text key in a build project.

Rather than work the findings one by one, she drives the cleanup off the IAM credential report, which lists every user's last-use timestamps in one place, so she can separate genuinely dormant credentials from active ones before deactivating anything.

Generate the credential report and pull the last-use timestamps that both IAM.8 (90 days) and the stricter IAM.22 (45 days) evaluate.

$ aws iam generate-credential-report && aws iam get-credential-report --query Content --output text | base64 -d | awk -F, 'NR==1 || $6=="true" {print $1","$5","$10}'

user,password_last_used,access_key_1_last_used_date

alice,2026-05-10T08:14:21+00:00,2026-05-12T16:02:09+00:00

bob-contractor,2024-04-18T13:55:00+00:00,2024-03-22T09:18:44+00:00

ci-deploy-2022,N/A,2025-09-04T22:11:08+00:00

# bob-contractor: both creds last used over a year ago. ci-deploy-2022: active key, idle 8 months.

Dormant credentials on departed users and old pipelines are the bulk of the work. Disable first, watch for breakage, then delete.

How AWS tracks credential statedeep dive

The dormancy controls run off the IAM credential report. Every signed API call updates the AccessKeyLastUsed field, and console logins stamp PasswordLastUsed. IAM.8 fails any active credential idle for 90 days or more; IAM.22 is the same evaluation pinned to 45 days via the Config rule iam-user-unused-credentials-check and its maxCredentialUsageAge parameter. The report regenerates at most every four hours, so a fix does not clear the finding instantly. A never-used credential reads as N/A but its age is measured from creation, so a key created 60 days ago and never touched still fails.

The password-policy controls read a single global object per account. IAM.7 and IAM.10 fail when the account policy falls short of the CIS baseline (minimum length 14, all four character classes, reuse prevention of the last 24 passwords). The policy is enforced at password-set time, so tightening it does not force existing users to rotate, it just blocks weak new passwords. Cognito.3 applies the same idea to a customer user pool's password policy. Note that the IAM policy only governs IAM users with console passwords; if your humans sign in via IAM Identity Center, your real password policy lives in your identity provider.

The CodeBuild controls inspect the project definition. CodeBuild.1 flags credentials embedded in a source repository URL; CodeBuild.2 flags AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY stored as PLAINTEXT environment variables. The key insight is that a build running inside AWS never needs a static key: CodeBuild hands the container the project's service-role credentials automatically. The right fix is usually to delete the variables entirely, and for genuine third-party secrets to reference them by the SECRETS_MANAGER or PARAMETER_STORE variable type so the value resolves at build time and never lands in the project, in IaC state, or in batch-get-projects output.

What is the impact of leaving credentials stale or exposed?

The direct impact is leakage turning into access. A long-lived key in a Git history, a clear-text variable in a build project, or a weak password on an admin user becomes account access at whatever permission level the credential holds. For a broad or administrative credential this is total compromise: the attacker can create new identities, disable logging, exfiltrate every bucket, and spin up mining fleets. Because dormant and embedded credentials are rarely watched, the breach often runs for days before anyone notices.

The second-order impact is privilege creep on forgotten identities. Dormant users typically still hold the permissions they had when they were active, often broad, often the residue of "just give them admin while we figure out what they need". An attacker who finds those credentials does not get yesterday's narrow scope; they get the whole accumulated history. The CodeBuild keys are the same risk in clear text: a static key in a project is a standing master credential anyone with read access can copy.

On the compliance side, SOC 2, ISO 27001, PCI DSS and NIST 800-53 all expect documented credential lifecycle controls, a strong password policy and protection of stored credentials. A wall of dormant-credential findings, a weak password policy, or a Critical plain-text-key finding is exactly the evidence an auditor pulls in the first ten minutes, and it is the kind of thing that holds up a SOC 2 or PCI attestation and the enterprise deals that depend on it.

How do you clean up credentials safely?

Work the capability as one loop rather than chasing individual findings. The order matters: inventory before you delete, disable before you delete, rotate exposed keys rather than just hiding them, and fix the source so the findings do not return.

1. Inventory every stale and exposed credential

Generate the IAM credential report and flag any active key or password idle past your threshold (90 days for IAM.8, the stricter 45 days for IAM.22, including never-used credentials older than the threshold). Audit the account-wide password policy against the CIS baseline for IAM.7/IAM.10, and check Cognito pools for Cognito.3. Scan every CodeBuild project across every region for credentials in source URLs (CodeBuild.1) and PLAINTEXT AWS keys (CodeBuild.2). Treat this inventory as the source of truth, not the raw finding count.

2. Disable before you delete; prefer deletion over indefinite disabling

For dormant access keys, run update-access-key --status Inactive and watch CloudTrail for 7 to 30 days; an inactive key rejects all calls, so any forgotten workload screams loudly within the window. Delete the keys that stayed silent. For dormant console passwords, remove the login profile. Reversible-first is the entire point, because the one key you cannot trace is the one a nightly job depends on.

3. Tighten the password policy and rotate exposed keys

Apply the CIS-aligned IAM password policy in a single idempotent call (length 14, all four character classes, reuse prevention 24) and set a matching strong policy on Cognito pools. For any key that was ever stored in clear text in a build project, treat it as compromised: rotate and delete it rather than just relocating it, because moving a still-valid key into a secret store closes the finding but leaves the leaked value usable forever.

4. Make short-lived credentials the default and enforce continuously

The durable answer is not better cleanup, it is not having long-lived credentials at all. Replace IAM users for humans with IAM Identity Center sessions, replace service-account keys with IAM roles the workload assumes, and in CodeBuild delete static keys in favour of the service role (referencing genuine third-party secrets via the SECRETS_MANAGER or PARAMETER_STORE type). Back it with AWS Config rules, an SCP that blocks creating long-lived keys, and credential revocation built into offboarding so the count stays down.

# Find active credentials idle past 45 days and disable them (review before deleting).
CUTOFF=$(date -u -d '45 days ago' +%Y-%m-%d)
aws iam generate-credential-report >/dev/null
aws iam get-credential-report --query Content --output text | base64 -d \
  | awk -F, -v c="$CUTOFF" 'NR>1 && $9=="true" && $11<c {print $1, $10}'
aws iam update-access-key --user-name old-contractor \
  --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

# Apply the CIS-aligned IAM password policy in one idempotent call.
aws iam update-account-password-policy --minimum-password-length 14 \
  --require-uppercase-characters --require-lowercase-characters \
  --require-numbers --require-symbols --password-reuse-prevention 24

# A clear-text key in a build project is compromised: rotate and delete, never just relocate.
aws iam delete-access-key --user-name ci-deploy --access-key-id AKIAIOSFODNN7EXAMPLE

Quick quiz

Question 1 of 5

Security Hub shows dormant-credential findings, a weak password policy, and a plain-text key in a CodeBuild project. What is the most efficient way to think about them?

Keep learning

Go deeper on the credential lifecycle across the services in this capability.

You can now treat credential hygiene as one capability rather than a scatter of findings: inventory every dormant credential, weak policy and embedded secret, disable before you delete, rotate any key that was ever exposed rather than just relocating it, set a strong password baseline, and make short-lived credentials the default so the surface stops re-accumulating. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Credential hygiene: the cost and risk view

Dormant and exposed credentials are uninsured liabilities with a near-zero removal cost

IAM users and their credentials are free, so this capability is almost never a line on the invoice. The cost lives entirely on the risk side. A dormant access key from a departed contractor, a weak password on an admin user, or a plain-text key in a build project is a static secret that an attacker can use the moment they find it, and leaked AWS keys are scraped from public repositories within minutes. The remediation, by contrast, is engineering time measured in hours.

Frame each failing control as a line on the risk register weighted by what the credential can reach. A dormant key on a user with broad S3 or admin permissions is a far higher expected loss than one on a read-only log viewer, yet both show up as a single Medium finding. The CodeBuild controls are rated Critical for the same reason: a long-lived key in clear text is a master credential anyone with read access to the project can copy. Prioritise by blast radius, not by finding count.

The insurance maths is one-sided. The documented cost of a credential-based breach, incident response, forensics, regulatory notification and a possible runaway crypto-mining bill, routinely runs into seven figures. The cost of running a credential audit, tightening a password policy and moving a secret into a managed store is essentially zero. This is a control you keep at or near a clean state, not one you optimise for spend.

This lesson is for the finance partner who sees a cluster of credential findings on the security report and wants to know what the right response is and what it costs. It covers why these controls are near-free to fix and expensive to ignore, how to prioritise by blast radius rather than raw finding count, and the governance levers, offboarding linkage, an enforced no-static-keys standard and a trend metric, that keep the count down without anyone touching the console.

Fun fact

The contractor who left in 2019

How a finance partner frames the credential cleanup

Priya is the finance partner for the platform team at the same fintech. Security Hub hands her a cluster of credential findings: dozens of IAM.8 and IAM.22 dormant-key flags, a failing IAM.7/IAM.10 password policy, and a single Critical CodeBuild.2 finding for a plain-text key. Her first instinct is not to ask what it costs, because she already knows the answer is roughly nothing in AWS spend. Her question is which of these credentials could turn a leak into a balance-sheet event, and which are noise on the report.

She asks the team to cross-reference each flagged credential against the permissions it actually holds. The dormant key on the read-only log viewer is a low-weight line on her risk register. The never-rotated key on an admin user and the plain-text CodeBuild key are the ones she front-loads, because their misuse is the seven-figure breach scenario with incident response, regulatory notification and a possible runaway crypto-mining bill behind it. Her output for the risk pack is one sentence: the cleanup is near-zero cost, and we prioritise it by blast radius, not by finding count.

Why credential hygiene belongs on the risk register

The cost model here is asymmetric. Removing a dormant key, tightening a password policy or relocating a secret costs nothing in AWS spend, and leaving them open creates an unbounded tail risk. Each failing credential is a place where a leak becomes account access, and while the probability per credential is low, the probability across all of them over years is not. A leaked admin key can also drive a five- or six-figure crypto-mining bill before detection, and AWS waives fraudulent charges only partly and only when you can show reasonable controls were in place.

There is a compliance-cost dimension too. A failing credential control can turn a smooth SOC 2 or PCI audit into one with a qualification or a remediation plan, which means auditor follow-up hours, management attention, and sometimes a disclosure to customers who gate purchasing on a clean report. The finance role is to prioritise the cleanup by blast radius, front-loading the broad and administrative credentials whose misuse would generate the breach-cost event, and to treat a rising finding count as a leading indicator that offboarding or pipeline hygiene has slipped.

What finance can drive on credential hygiene

Finance cannot run the CLI, but it owns the framing that turns credential cleanup from a one-off fire drill into a standing control. Three levers, used at the regular review.

1. Prioritise by blast radius, not by finding count

Cross-reference each flagged credential against the permissions it holds, and front-load the broad and administrative ones whose misuse would generate a breach-cost event. A dormant read-only key is lower urgency than a never-rotated admin key or a clear-text key in a pipeline.

2. Insist on rotate-not-hide for exposed credentials

Do not accept the finding is closed as proof the risk is gone. For any key that was ever in clear text, confirm it was rotated and the old version deleted, not just relocated into a secret store while still valid. Make this the standard question for every Critical credential finding.

3. Tie revocation to offboarding and fund the structural fix

Make credential revocation a mandatory, audited step in offboarding, and back the project to retire long-lived keys for short-lived role credentials. The first closes today's findings; the second removes the surface so they cannot quietly reopen.

Quick quiz

Question 1 of 5

Why is closing a credential-hygiene finding described as a one-sided insurance trade for finance?

Keep learning

Go deeper on the credential lifecycle across the services in this capability.

You have finished the finance view of credential hygiene. You know the cost is one-sided (near-zero to fix, potentially seven figures to ignore), that the right metric is blast radius rather than finding count, that an exposed key must be rotated and deleted rather than relocated while live, and that the dormant-credential trend, not the snapshot, tells you whether offboarding and credential cleanup are actually connected. Next time a wall of credential findings lands, you will ask a sharper question than how much will this cost.

Back to the library

Credential hygiene: the headline

Whether forgotten or exposed credentials are quietly widening the attack surface

Static credentials accumulate. People leave, pipelines are retired, secrets get pasted into config, and unless someone removes them, they stay valid and unmonitored for years. The report shows this as a scatter of findings across IAM users, build projects and customer pools, but the leadership question behind all of them is one sentence: is access removed and rotated as a matter of process, or only when someone remembers?

The finding count is a proxy for how reliably the organisation manages the credential lifecycle. A high count of dormant credentials means offboarding and credential cleanup are decoupled. A plain-text key in a pipeline usually means there is no enforced no-static-credentials standard. Closing these findings and keeping them closed is evidence of a process that works by design.

Almost none of this is a cost decision. Removing a key, setting a password policy, or moving a secret into a managed store is free in AWS terms. It is a governance decision about whether the credential surface shrinks automatically or grows with every departure and every copy-pasted pipeline.

A short read for the leader who needs to know what stale and exposed credentials expose, why closing them is a governance decision rather than a budget one, and what a defensible end state looks like: short-lived credentials by default, a strong password baseline, and no static keys in clear text.

Fun fact

The contractor who left in 2019

What it looks like when credential lifecycle is governed, not remembered

After a peer in the sector disclosed a breach traced to a years-old access key left by a departed contractor, the CEO asked one question at the next risk review: could that happen to us, and how would we know? The honest answer was that nobody could say, because credential cleanup happened when an engineer remembered it rather than as a step in offboarding. The dormant-credential count on the security report was the visible symptom of that gap.

The leadership response was to treat credential hygiene as a process requirement rather than a backlog of findings. Credential revocation became a mandatory, audited step in offboarding; static keys in pipelines were banned by policy and enforced with a service control policy; human sign-in moved to IAM Identity Center. Six months on, the question changed from could that happen to us to what is our dormant-credential trend, and the answer was a line that stayed low quarter on quarter. That trend, not the point-in-time count, is the signal that belongs on a governance review.

Why this is a governance indicator, not just a finding

The finding count for this capability measures how reliably the organisation manages the credential lifecycle. A high dormant-credential count means access provisioning and offboarding are not connected. A plain-text key in a pipeline means there is no enforced standard against static credentials. Those are governance gaps, not technical ones, and they predict larger problems in the same blind spot.

The downstream consequences are material: every dormant or embedded credential is a potential unauthorised entry point with full use of whatever permissions were granted, with no monitoring and no one watching the logs. In the incident cases that get the most press coverage, this is exactly the access vector, a credential that existed because nobody took the thirty-second step of removing or rotating it. The cost of getting it wrong is large and well documented; the cost of fixing it is engineering time, which is the trade leadership should be quickest to approve.

The leadership move on credential hygiene

The handle is a process requirement, not a cleanup mandate: hygiene degrades automatically unless lifecycle management is built in.

1. Build revocation and rotation into the lifecycle

Require that credential revocation is part of offboarding and that no static AWS key lives in a pipeline or config. The finding count accumulates precisely because departures and credential cleanup are decoupled; connecting them at the process level is the only structural fix.

2. Ban static credentials as policy

Anything that needs a secret goes through the managed secret store; roles provide everything else, and human sign-in moves to IAM Identity Center. Enforce it automatically so it is a guardrail, not a guideline.

3. Ask for the trend, not the point-in-time count

A count that resets high every quarter means the cleanup is happening but the process is still broken. Only the trend distinguishes a working lifecycle from a recurring whack-a-mole.

Quick quiz

Question 1 of 5

What does a persistently high dormant-credential count signal to leadership?

Keep learning

Go deeper on the credential lifecycle across the services in this capability.

Two takeaways: a dormant or exposed credential is an uninsured liability that exists because nobody took the thirty-second step of removing or rotating it, and the durable fix is governance, not cleanup. The trade is engineering hours against a documented seven-figure breach pattern, which is the one leadership should be quickest to approve. Watch the trend, demand rotate-not-hide proof, and ban static credentials as policy so the surface shrinks by design.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Rotate and remove stale IAM credentials

Credential hygiene: the basics

The contractor who left in 2019

Finding stale and exposed credentials across an estate

How AWS tracks credential statedeep dive

What is the impact of leaving credentials stale or exposed?

How do you clean up credentials safely?

1. Inventory every stale and exposed credential

2. Disable before you delete; prefer deletion over indefinite disabling

3. Tighten the password policy and rotate exposed keys

4. Make short-lived credentials the default and enforce continuously

Quick quiz

Keep learning

Credential hygiene: the cost and risk view

The contractor who left in 2019

How a finance partner frames the credential cleanup

Why credential hygiene belongs on the risk register

What finance can drive on credential hygiene

1. Prioritise by blast radius, not by finding count

2. Insist on rotate-not-hide for exposed credentials

3. Tie revocation to offboarding and fund the structural fix

Quick quiz

Keep learning

Credential hygiene: the headline

The contractor who left in 2019

What it looks like when credential lifecycle is governed, not remembered

Why this is a governance indicator, not just a finding

The leadership move on credential hygiene

1. Build revocation and rotation into the lifecycle

2. Ban static credentials as policy

3. Ask for the trend, not the point-in-time count

Quick quiz

Keep learning

Controls this lesson covers

CodeBuild

Cognito

IAM

Related compliance lessons