Harden IAM security by disabling or removing IAM user credentials (passwords, access keys, and certificates) that have been unused for more than 90 days. The plan first inventories all IAM users and their credential usage, then identifies stale credentials, guides you through exception decisions, performs controlled cleanup of those credentials, and finally validates that no unapproved stale credentials remain and that critical workloads continue to function.
Begin by thoroughly cataloging IAM users across in-scope AWS accounts. For each user, capture key attributes such as name, ARN, creation date, and helpful tags (Environment, Application, Owner, CostCenter). The plan determines whether a console password exists and collects last sign-in data if available. It also enumerates all access keys and any legacy certificates, recording their status, creation/upload dates, and last-used details. This produces a structured dataset of users and credential activity for later analysis.
Using the inventory, credentials are evaluated against a clear definition of “unused for more than 90 days,” including both “last used older than 90 days” and “never used and older than 90 days since creation/upload.” Passwords, access keys, and certificates are each checked against this threshold. The result is a consolidated, structured list of stale credentials that includes account, user, credential type and identifier, creation/upload date, last-used data, and relevant tags, ready for stakeholder review.
You are then presented with the list of credentials unused for 90+ days, grouped by account and user. The plan guides you through reviewing each password, access key, and certificate in the context of applications, automation, and support processes to determine whether they are truly stale. For each credential, you decide to disable/remove it or grant a documented exception (for example, break-glass or pending migration), optionally including a re-review date. You also confirm where IAM users are candidates for future decommissioning. The outcome is a structured decision record that drives subsequent configuration and validation tasks.
Using the approved decision record, the plan revalidates which IAM users still have console login profiles and confirms they are not listed as exceptions. For each applicable user, it disables or removes the console password according to organizational standards, without touching other credential types. Errors are logged with sufficient detail for remediation. A post-change check confirms that non-exempt stale passwords are no longer active, and a summary is produced listing actions taken, exceptions honored, and any failures needing follow-up.
For access keys marked as stale, the plan rechecks their current status and last-used information to ensure they are still unused and not exempt. It then deactivates non-exempt keys by setting them to Inactive, optionally aligning with any defined notification or sequencing requirements. If a grace period is defined, the plan tracks deactivation times and schedules deletion after the grace period expires. Once eligible, still-stale keys are permanently deleted while ensuring that required programmatic access remains available through other valid credentials. All operations and any failures are logged, and a post-change review confirms keys are correctly deactivated, deleted, or preserved as exceptions. A summary outlines deactivated keys, deletions, exceptions, and any unresolved items.
For IAM user certificates (such as X.509 or SSH signing certificates) that have been unused for more than 90 days, the plan validates current certificate details and cross-checks them against the exception list. Non-exempt stale certificates are then disabled or deleted in accordance with policy and safety considerations. Any issues are recorded with user and certificate details. After changes, the environment is rechecked to confirm that stale certificates are no longer active or present, while exceptions remain intact. A configuration summary lists disabled and deleted certificates, retained exceptions with justification, and any certificates requiring additional remediation.
Once configuration is complete, the plan re-enumerates the current state of all in-scope IAM user credentials, including passwords, access keys, and certificates. It re-evaluates last-used or creation/upload dates against the 90-day threshold for each active credential and cross-checks these with the documented exceptions. Any non-exempt active credentials that are still unused for more than 90 days are identified and documented. A validation report summarizes how many credentials were reviewed, how many stale credentials were successfully disabled or removed, how many are approved exceptions, and any remaining non-compliant credentials with recommended remediation steps. The report and supporting data are stored for audit and future cleanup cycles.
Finally, you review which IAM users had credentials disabled or removed, focusing on those tied to critical applications, services, and automations. The plan guides you to engage application and service owners to run functional tests such as key workflows, pipelines, and integrations. Any authentication or authorization failures are captured with details on affected IAM users and credential types. Short-term mitigations (e.g., issuing new scoped credentials or switching to different authentication methods) and longer-term fixes are planned and documented. You then compile and provide a final operational sign-off summarizing successful tests, known issues, residual risks, and any follow-up tasks outside the immediate scope of this cleanup.