Please tell me the reason why IAM users that have been set to SUPPRESSED in Security Hub findings are being detected as FAILED
The issue
In Security Hub checks, IAM users were detected as targets for IAM.3, so I set them to SUPPRESSED.
However, after some time, the IAM users that I had set to SUPPRESSED were being detected as FAILED.
Please tell me the reason why IAM users that have been set to SUPPRESSED in Security Hub findings are being detected as FAILED.
The solution
Please check whether the access keys of the IAM users that have been set to SUPPRESSED have active keys that have been more than 90 days since they were created.
The IAM.3 Config rule determines IAM users who have access keys that are more than 90 days old since creation as non-compliant.
access-keys-rotated - AWS Config
Checks if active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.
If the access keys of IAM users that have been set to SUPPRESSED have been more than 90 days since creation, the evaluation result of the target Config rule will change from compliant to non-compliant.
As a result, the SUPPRESSED result in Security Hub will be archived, and a new FAILED result will be generated.
Therefore, please check whether the active keys of IAM user access keys have been more than 90 days since creation, and rotate the access keys as necessary.
