How do I troubleshoot IAM user security issues and suspicious activity?

4 minute read

I want to troubleshoot AWS Identity and Access Management (IAM) user security issues and suspicious activity.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, see Troubleshooting errors for the AWS CLI. Also, confirm that you're using the most recent AWS CLI version.

IAM user security issues can result from compromised credentials, unauthorized access, or suspicious activity patterns. Use the following resolution to identify suspicious activity and secure your IAM users.

Use CloudTrail to identify suspicious IAM user activity

AWS CloudTrail logs all IAM user actions. When you receive a suspicious activity alert for an IAM user, use AWS CloudTrail to identify the actions that the user performed.

To use the CloudTrail console to identify suspicious IAM user activity, see View event history. Under Lookup attributes, choose User name in the dropdown list and then enter the username.

Review the events for unusual actions, unexpected source IP addresses, or access to sensitive resources. For events that show error code values, such as AccessDenied or UnauthorizedOperation, note the event name and resource to identify what the user tried to access.

To use the AWS CLI, run the following lookup-events AWS CLI command:

aws cloudtrail lookup-events \
    --lookup-attributes AttributeKey=Username,AttributeValue=IAM-USERNAME \
    --start-time START-TIME \
    --end-time END-TIME \
    --region REGION

Note: Replace IAM-USERNAME with the IAM username, START-TIME and END-TIME with the time period that you want to review, and REGION with your AWS Region.

Deactivate IAM user credentials

If you identify suspicious activity, then use the IAM console to delete the password and deactivate the access key that's associated with the IAM user. When you remove access, the IAM user can no longer sign in to the AWS Management Console or call API operations.

To use the AWS CLI to delete an IAM user's password, see Creating, changing or deleting an IAM user password (AWS CLI).

To use the AWS CLI to deactivate the access key, run the following update-access-key AWS CLI command:

aws iam update-access-key \
    --user-name IAM-USERNAME \
    --access-key-id ACCESS-KEY-ID \
    --status Inactive

Note: Replace IAM-USERNAME with the IAM username and ACCESS-KEY-ID with the access key ID to deactivate.

Confirm that you deactivated the IAM user

To confirm that you deactivated the IAM user, use the console to download an IAM credential report. The credential report shows the status of all IAM user credentials in your AWS account.

In the credential report, confirm that values in the password_enabled, access_key_1_active, and access_key_2_active columns are false.

For more information about IAM user credential reports, see Generate credential reports for your AWS account.

Configure your IAM settings to prevent unauthorized access

To reduce the risk of unauthorized access, configure a strong password policy and enforce multi-factor authentication (MFA) to provide additional layers of security.

To configure a strong password policy, complete the following steps:

Open the IAM console.
In the navigation pane, choose Account settings.
Under Password policy, choose Edit.
Choose Custom, and then configure the following settings:
For Password minimum length, enter a value of 14 or more characters.
For Other requirements, select Turn on password expiration and enter 90 days. Also, select Prevent password reuse and enter the number of passwords to remember.
Choose Save changes.

To enforce MFA for IAM users, create an IAM policy that requires MFA for all actions, except the required actions to set up MFA.

Attach the following policy to your IAM users or groups:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllExceptMFASetupIfNoMFA",
      "Effect": "Deny",
      "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice",
        "sts:GetSessionToken"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Related information

AWS security incident response technical guide

Security best practices in IAM

Topics: Security, Identity, & Compliance
Tags: AWS IAM Identity Center
Language: English

AWS OFFICIALUpdated a month ago

No comments

Relevant content

Suspicious Account Breach
rePost-User-8497268
asked 4 years ago
How do I resolve "AccessDeniedException: IAM user access not activated" errors on billing page?
Andy
asked 10 months ago
Uncontrolled Access Key Addition in IAM Role Trust Entities - A Security Concern in AWS
Accepted Answer
nmos
asked 3 years ago
IAM Identity Center / IdentityStore API is missing the "Active" attribute on User DataType
rePost-User-3345289
asked 3 years ago
IAM Identity Center or IAM users can be locked after a certain number of failed login attempts?
Accepted Answer
Sonic
asked a year ago
How do I troubleshoot errors that I receive when I set up Amazon Q Business with IAM Identity Center?
AWS OFFICIALUpdated a year ago
How do I troubleshoot the "MFA device already exists" error when an IAM user tries to create a new MFA device?
AWS OFFICIALUpdated 3 months ago
How do I troubleshoot access denied issues for my account root user or an IAM entity that has admin permissions?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot unusual resource activity in my AWS account?
AWS OFFICIALUpdated 3 months ago
AWS Account Activation - Locating AWS Account ID and Troubleshooting Phone Verification Issues
EXPERT
Dnyaneshwar Bhosale DB
published 2 years ago