Acting on discovered inactive identities could be done manually, but should be automated for efficiency and improved security. Both manual and automated cleanup could follow a process like this:

For all steps, log the findings and actions taken for audit and improvements.

Depending on your corporate policies, you might want to clean up monthly or quarterly. When triggering the report generation in the first step, you can specify the duration (the range in hours) for what to consider as inactive. To avoid the risk of shutting down important identities, you should maintain a list or database with identities that are excluded from cleanup (Step 2 above). That list could also be used to distinguish between different policies like monthly or quarterly checks.

When processing each found inactive identity (e.g., users, service IDs, trusted profiles), it is fairly easy to revoke assigned privileges. IBM Cloud IAM provides a REST API with a DELETE to remove an IAM identity from all associated access groups (Step 3 above, see screenshot below).

If following best practices, permissions should only be assigned through access groups and not directly. You can verify this rule by retrieving the list of directly granted privileges for the IAM identity. If such a privilege (access management policy) is found, there is an API to delete that policy (Step 3). You can see our blog post “IBM Cloud security: How to clean up unused access policies” for additional information.

The report on inactive identities also includes a section on API keys. API keys are associated with either a user or service ID. The question is how soon to clean them up by deleting the API key. Similar to removing privileges from an identity, deleting an associated API key may break applications. Decide what is best for your cloud environment and meets corporate standards.

The above cleanup steps can be scripted and run manually. You could also automate the cleanup by taking an approach similar to what we describe in this blog post on automated data scraping. Use IBM Cloud Code Engine with a cron subscription to trigger execution on set dates or intervals: