IAM user does not use long-lived credentials to access services other than IAM or STS
iam_user_with_temporary_credentials
IAM users are assessed for activity using long-lived access keys. Use of static credentials to access services other than IAM or STS indicates reliance on permanent keys instead of temporary role-based credentials.
Risk
Persistent access keys enable attacker persistence and replay. Stolen keys allow off-network API calls for data exfiltration, privilege changes, and destructive actions, impacting confidentiality, integrity, and availability. Without expiry, the blast radius grows and containment is harder.
prowler aws --checks iam_user_with_temporary_credentials
Recommendation
Adopt temporary credentials via IAM roles and federation for humans and workloads. Remove or restrict long-term keys; if unavoidable, apply least privilege, require MFA, rotate aggressively, and monitor usage. Prefer short session durations and session conditions to limit blast radius.
Remediation
aws iam put-user-policy --user-name <example_resource_name> --policy-name deny-non-iam-sts-with-long-term-creds --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","NotAction":["iam:","sts:"],"Resource":"*","Condition":{"Null":{"aws:TokenIssueTime":"true"}}}]}'
- In AWS Console, go to IAM > Users and select <example_resource_name>
- Open the Security credentials tab
- Under Access keys, deactivate and delete all active access keys
- Save changes
- Re-test: the user no longer has long-lived credentials to access non-IAM/STS services
Source Code
Resource Type
AwsIamUser