Why does my IAM credential report show my AWS Config managed rules as not compliant?
Last updated: 2020-07-08
I enabled multi-factor authentication (MFA) for AWS Identity and Access Management (IAM) users.
I rotated IAM access keys and configured that the unused credentials be used within a specified number of days.
However, the AWS managed config rules mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check aren't compliant after invoking the API GenerateCredentialReport.
The credential report checks if a report was generated within the past four hours. If the AWS config rules are triggered every 1-4 hours, a cached copy of the credential report is downloaded after 4 hours pass. For more information, see Getting credential reports for your AWS account.
Change the MaximumExecutionFrequency parameter to more than 4 hours.
- Open the AWS Config console, and then choose Rules.
- In Rule name, select your AWS Config rule, and then choose Edit.
- In Trigger, select the Frequency dropdown menu, and choose 6, 12, or 24 hours.
- Choose Save.
To update the rule trigger frequency using the AWS Command Line Interface (AWS CLI), run the put-config-rule command.