{
	"id": "f14f743e-f982-4bd9-bddc-61eb2794c114",
	"created_at": "2026-04-06T00:21:39.132493Z",
	"updated_at": "2026-04-10T03:20:58.044353Z",
	"deleted_at": null,
	"sha1_hash": "b319c1a549b8bcb0e1beaa3c54603bee4def672f",
	"title": "New Information in the AWS IAM Console Helps You Follow IAM Best Practices | Amazon Web Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 165638,
	"plain_text": "New Information in the AWS IAM Console Helps You Follow IAM\r\nBest Practices | Amazon Web Services\r\nPublished: 2017-07-05 · Archived: 2026-04-05 12:57:59 UTC\r\nAWS Security Blog\r\nToday, we added new information to the Users section of the AWS Identity and Access Management (IAM)\r\nconsole to make it easier for you to follow IAM best practices. With this new information, you can more easily\r\nmonitor users’ activity in your AWS account and identify access keys and passwords that you should rotate\r\nregularly. You can also better audit users’ MFA device usage and keep track of their group memberships. In this\r\npost, I show how you can use this new information to help you follow IAM best practices.\r\nMonitor activity in your AWS account\r\nThe IAM best practice, monitor activity in your AWS account, encourages you to monitor user activity in your\r\nAWS account by using services such as AWS CloudTrail and AWS Config. In addition to monitoring usage in\r\nyour AWS account, you should be aware of inactive users so that you can remove them from your account. By\r\nonly retaining necessary users, you can help maintain the security of your AWS account.\r\nTo help you find users that are inactive, we added three new columns to the IAM user table: Last activity,\r\nConsole last sign-in, and Access key last used.\r\n1. Last activity – This column tells you how long it has been since the user has either signed in to the AWS\r\nManagement Console or accessed AWS programmatically with their access keys. Use this column to find\r\nusers who might be inactive, and consider removing them from your AWS account.\r\n2. Console last sign-in – This column displays the time since the user’s most recent console sign-in. Consider\r\nremoving passwords from users who are not signing in to the console.\r\nhttps://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/\r\nPage 1 of 6\n\n3. Access key last used – This column displays the time since a user last used access keys. Use this column\r\nto find any access keys that are not being used, and deactivate or remove them.\r\nRotate credentials regularly\r\nThe IAM best practice, rotate credentials regularly, recommends that all users in your AWS account change\r\npasswords and access keys regularly. With this practice, if a password or access key is compromised without your\r\nknowledge, you can limit how long the credentials can be used to access your resources. To help your\r\nmanagement efforts, we added three new columns to the IAM user table: Access key age, Password age, and\r\nAccess key ID.\r\n1. Access key age – This column shows how many days it has been since the oldest active access key was\r\ncreated for a user. With this information, you can audit access keys easily across all your users and identify\r\nthe access keys that may need to be rotated.\r\nBased on the number of days since the access key has been rotated, a green, yellow, or red icon is displayed. To\r\nsee the corresponding time frame for each icon, pause your mouse pointer on the Access key age column heading\r\nto see the tooltip, as shown in the following screenshot.\r\n2. Password age – This column shows the number of days since a user last changed their password. With this\r\ninformation, you can audit password rotation and identify users who have not changed their password\r\nhttps://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/\r\nPage 2 of 6\n\nrecently. The easiest way to make sure that your users are rotating their password often is to establish an\r\naccount password policy that requires users to change their password after a specified time period.\r\n3. Access key ID – This column displays the access key IDs for users and the current status (Active/Inactive)\r\nof those access key IDs. This column makes it easier for you to locate and see the state of access keys for\r\neach user, which is useful for auditing. To find a specific access key ID, use the search box above the table.\r\nEnable MFA for privileged users\r\nAnother IAM best practice is to enable multi-factor authentication (MFA) for privileged IAM users. With MFA,\r\nusers have a device that generates a unique authentication code (a one-time password [OTP]). Users must provide\r\nboth their normal credentials (such as their user name and password) and the OTP when signing in.\r\nTo help you see if MFA has been enabled for your users, we’ve improved the MFA column to show you if MFA is\r\nenabled and which type of MFA (hardware, virtual, or SMS) is enabled for each user, where applicable.\r\nUse groups to assign permissions to IAM users\r\nInstead of defining permissions for individual IAM users, it’s usually more convenient to create groups that relate\r\nto job functions (such as administrators, developers, and accountants), define the relevant permissions for each\r\ngroup, and then assign IAM users to those groups. All the users in an IAM group inherit the permissions assigned\r\nto the group. This way, if you need to modify permissions, you can make the change once for everyone in a group\r\ninstead of making the change one time for each user. As people move around in your company, you can change the\r\ngroup membership of the IAM user.\r\nhttps://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/\r\nPage 3 of 6\n\nTo better understand which groups your users belong to, we’ve made updates:\r\n1. Groups – This column now lists the groups of which a user is a member. This information makes it easier\r\nto understand and compare multiple users’ permissions at once.\r\n2. Group count – This column shows the number of groups to which each user belongs.\r\nCustomize your view\r\nChoosing which columns you see in the User table is easy to do. When you click the button with the gear icon in\r\nthe upper right corner of the table, you can choose the columns you want to see, as shown in the following\r\nscreenshots.\r\nhttps://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/\r\nPage 4 of 6\n\nConclusion\r\nWe made these improvements to the Users section of the IAM console to make it easier for you to follow IAM\r\nbest practices in your AWS account. Following these best practices can help you improve the security of your\r\nAWS resources and make your account easier to manage.\r\nhttps://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/\r\nPage 5 of 6\n\nIf you have comments about this post, submit them in the “Comments” section below. If you have questions or\r\nsuggestions, please start a new thread on the IAM forum.\r\n– Rob\r\nSource: https://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/\r\nhttps://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/"
	],
	"report_names": [
		"newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434899,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b319c1a549b8bcb0e1beaa3c54603bee4def672f.pdf",
		"text": "https://archive.orkl.eu/b319c1a549b8bcb0e1beaa3c54603bee4def672f.txt",
		"img": "https://archive.orkl.eu/b319c1a549b8bcb0e1beaa3c54603bee4def672f.jpg"
	}
}