User did not log in the past 90 days

It is recommended that all user accounts that have been unused for 90 days or more be removed or deactivated. Suspending or removing unused user accounts will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.19
Covered by Spectral: No
Category: Security, Identity, & Compliance


GcpIamUser should have userData.lastLoginTime after(-90,'days')


From Portal

  1. Go to Admin console :
  2. From the Admin console Home page, go to Users.
  3. In the Users list, find the user.
  4. Point to the user you want to delete and click Moreand thenDelete user
  5. Depending on your privileges as an admin, choose an option:
  • Delegated admins : To confirm that you understand the impact of deleting the account, check the boxes.
  • Super admins: To transfer ownership of user content:
    If you don't want to transfer the user's data, next to Data in other apps, select Don't transfer data.
    If you do want to transfer the user's data:
    a. Next to Data in other apps, select Transfer.
    b. In the Search for a user field, enter the name or email address of the user to whom you want to transfer the files deleted users files.
    c. Under Select data to transfer, check the boxes next to each option you want.
  1. Click Delete User.




An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0