Motivation
Is mainly security and an easy was todeactivate AWS access keys that have not been used for a period.
The AWS best practice is 90d inactivity.
Describe the solution you'd like
Suggesting to add a policy - here is a link to a script that I found on the internet that deactivates the inactive keys.
https://www.nicks.io/automating-deactivation-of-inactive-aws-access-keys/
Suggest is to run this at 80d and have the 7d "warning period" - then the deactivation would occur around day 87-90.
As an interim - i would add this in dr-run mode for 60d inactivity to allow more time for users to identify
Then after about a month in dry-run , we should discuss - get OK and move to dry-run = no.
Describe alternatives you've considered
Not clear if when security team is implementing this
Additional context
Adding an additional request (similar) to notify of AWS keys that are > X days old and should be rotated.
Motivation
Is mainly security and an easy was todeactivate AWS access keys that have not been used for a period.
The AWS best practice is 90d inactivity.
Describe the solution you'd like
Suggesting to add a policy - here is a link to a script that I found on the internet that deactivates the inactive keys.
https://www.nicks.io/automating-deactivation-of-inactive-aws-access-keys/
Suggest is to run this at 80d and have the 7d "warning period" - then the deactivation would occur around day 87-90.
As an interim - i would add this in dr-run mode for 60d inactivity to allow more time for users to identify
Then after about a month in dry-run , we should discuss - get OK and move to dry-run = no.
Describe alternatives you've considered
Not clear if when security team is implementing this
Additional context
Adding an additional request (similar) to notify of AWS keys that are > X days old and should be rotated.