# Security Recommendations

### Inactive IAM users <a href="#inactive-iam-users" id="inactive-iam-users"></a>

Users who have been inactive for more than **90 days** are considered obsolete and subject to deletion. This is due to the security risks they pose for the organization, as they can be compromised and become access points for malicious users.

The number of days is a custom parameter. Use **Settings** to change it. You can also download a list of inactive users as JSON or XLSX by selecting the download icon <img src="https://756292039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6rFi99rib6iBPaHxldNx%2Fuploads%2Fgit-blob-9024ecd42fbb865c6deaab3c79d49f5192b5aa43%2Ficon_cloud_download.png?alt=media" alt="" data-size="line">.

<figure><img src="https://756292039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6rFi99rib6iBPaHxldNx%2Fuploads%2Fgit-blob-329f48687a992e4f27ec74b9f0453951bc792c6a%2Finactive_IAM_users.png?alt=media" alt=""><figcaption><p>Inactive IAM users</p></figcaption></figure>

### Instances with insecure Security Groups settings <a href="#instances-with-insecure-security-groups-settings" id="instances-with-insecure-security-groups-settings"></a>

Security check that browses through the resources to find network vulnerabilities and provides a list of instances liable to RDP/SSH hacking. The following are the insecure ports and permissions:

* port tcp/22
* port tcp/3389
* all inbound traffic

with one of:

* CidrIp: 0.0.0.0/0
* CidrIpv6: ::/0

**AWS**

* Describe regions: *ec2.describe\_regions()*
* Describe instances: *ec2.describe\_instances()*
* Describe security groups: *ec2.describe\_security\_groups()*

**Azure**

* Describe instances: *compute.virtual\_machines.list\_all()*
* Describe security groups: *network.network\_security\_groups.list\_all()*

{% hint style="info" %}
Network interfaces without associated security groups are skipped.
{% endhint %}

You can download the list of insecure Security Groups as JSON for subsequent automated processing.

### IAM users with unused console access <a href="#iam-users-with-unused-console-access" id="iam-users-with-unused-console-access"></a>

The active IAM users that have console access turned on, but have not used it for more than **90 days** are in the list. Consider revoking console access to increase security.

Note that the number of days is a custom parameter. Use **Settings** to change it.

### Public S3 buckets <a href="#public-s3-buckets" id="public-s3-buckets"></a>

The S3 buckets in the list are public. Ensure that the buckets use the correct policies and are not publicly accessible unless explicitly required.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.finops.softwareone.com/insights/recommendations/recommendation-categories/security-recommendations.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.