Why does my IAM credential report show my AWS Config managed rules as not compliant?

2 minute read
0

My AWS managed config rules aren't compliant when I used the API to turn on multi-factor authentication (MFA) for my AWS Identity and Access Management (IAM) users or rotated IAM access keys.

Short description

The AWS managed config rules mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-checkaren't compliant after invoking the API GenerateCredentialReport. This is because these rules rely on the credential report generated by the API.

When a GenerateCredentialReport call is invoked, IAM checks if there is an existing report. If the report was generated within the past four hours, the API call will use the most recent report rather than generating a new report. If the most recent report is older than four hours or there are no previous reports, the GenerateCredentialReport API generates a new report. For more information, see Getting credential reports for your AWS account.

Resolution

Change the MaximumExecutionFrequency parameter to more than 4 hours. MaximumExecutionFrequency indicates the maximum frequency with which AWS Config runs evaluations for an AWS Managed Periodic rule.

  1. Open the AWS Config console, and then choose Rules.
  2. In Rule name, select your AWS Config rule, and then choose Edit.
  3. In Trigger, select the Frequency dropdown menu, and choose 6, 12, or 24 hours.
  4. Choose Save.

To update the rule trigger frequency using the AWS Command Line Interface (AWS CLI), run the put-config-rule command.


Related information

ConfigRule

GetCredentialReport

AWS OFFICIAL
AWS OFFICIALUpdated a year ago