AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2025-05-16 · Security-related medium

File: IAM/latest/UserGuide/id_users_remove.md

Summary

Added note requiring deactivation of active access keys before user deletion and removed redundant line about access key removal automation

Security assessment

The change explicitly warns users to manually deactivate access keys before deletion, addressing a potential security gap where inactive users might retain active credentials. This prevents accidental retention of unused access keys that could be exploited.

Diff

diff --git a/IAM/latest/UserGuide/id_users_remove.md b/IAM/latest/UserGuide/id_users_remove.md
index c15519bdf..739f184bc 100644
--- a//IAM/latest/UserGuide/id_users_remove.md
+++ b//IAM/latest/UserGuide/id_users_remove.md
@@ -25,2 +24,0 @@ When you use the AWS Management Console to remove an IAM user, IAM automatically
-  * Any access keys belonging to the IAM user 
-
@@ -50,0 +49,4 @@ classic IAM console
+###### Note
+
+If any of the users have active access keys, you must deactivate the access keys before deleting the users. For more information, see [To deactivate an access key for an IAM user](./access-keys-admin-managed.html#admin-deactivate-access-key).
+