Why does my IAM credential report show my AWS Config managed rules as not compliant?

Last updated: 2020-07-08

I enabled multi-factor authentication (MFA) for AWS Identity and Access Management (IAM) users.

-or-

I rotated IAM access keys and configured that the unused credentials be used within a specified number of days.

However, the AWS managed config rules mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check aren't compliant after invoking the API GenerateCredentialReport.  

Short description

The credential report checks if a report was generated within the past four hours. If the AWS config rules are triggered every 1-4 hours, a cached copy of the credential report is downloaded after 4 hours pass. For more information, see Getting credential reports for your AWS account.

Resolution

Change the MaximumExecutionFrequency parameter to more than 4 hours.

  1. Open the AWS Config console, and then choose Rules.
  2. In Rule name, select your AWS Config rule, and then choose Edit.
  3. In Trigger, select the Frequency dropdown menu, and choose 6, 12, or 24 hours.
  4. Choose Save.

To update the rule trigger frequency using the AWS Command Line Interface (AWS CLI), run the put-config-rule command.


Did this article help?


Do you need billing or technical support?