Why does my IAM credential report show my AWS Config managed rules as not compliant?
Last updated: 2020-07-08
I enabled multi-factor authentication (MFA) for AWS Identity and Access Management (IAM) users.
-or-
I rotated IAM access keys and configured that the unused credentials be used within a specified number of days.
However, the AWS managed config rules mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check aren't compliant after invoking the API GenerateCredentialReport.
Short description
The credential report checks if a report was generated within the past four hours. If the AWS config rules are triggered every 1-4 hours, a cached copy of the credential report is downloaded after 4 hours pass. For more information, see Getting credential reports for your AWS account.
Resolution
Change the MaximumExecutionFrequency parameter to more than 4 hours.
- Open the AWS Config console, and then choose Rules.
- In Rule name, select your AWS Config rule, and then choose Edit.
- In Trigger, select the Frequency dropdown menu, and choose 6, 12, or 24 hours.
- Choose Save.
To update the rule trigger frequency using the AWS Command Line Interface (AWS CLI), run the put-config-rule command.
Related information
Did this article help?
Do you need billing or technical support?