Unused access keys in AWS are an unnecessary security liability. For example, when users leave your organization, their IAM user and corresponding access keys should be removed so they cannot be used improperly or maliciously.
In this guide, we’ll show you how to find and remove unused AWS access keys so you can improve your security posture.
What permissions do you need?
You can sign in to your AWS root user account and there are no restrictions whatsoever for managing IAM resources. If you are not using the root user to make changes, you’ll need to have permissions granted by the following policy:
To allow users to perform specified actions with the AWS console or CLI, you need to include permissions for the actions that the console or CLI performs. For example, if you deny an IAM user to perform iam:ListUsers action, the IAM user won’t be able to list users on the console or CLI.
Even though your user may have permission to access actions such as CreateAccessKey and UpdateAccessKey, the console or CLI will be denied access.
Finding and Removing Unused Access Keys in Your AWS Account
Using the AWS Console:
To find and remove unused access keys with the AWS Console, follow the steps below:
1. Sign in to the AWS IAM console.
2. Choose Users from the navigation panel.
3. Select the settings icon from the table at the right. Choose the Access key last used from the Manage Columns. The Access key last used column will show the last time the users accessed AWS and will show None for users with no access keys. You can use this information to remove unused access keys. Select Close to return to the users' list.
4. Return to Step 2 and select Credential Report from the navigation panel. Choose Download Report to download the status report status_reports_<date>T<time>.csv for the unused access key. The report will include information about the last used date, region, and service for the unused access key. If the value is N/A, the access key hasn’t been used since the IAM started tracking access key age for a specific date.
5. Return to Step 2 and select Security credentials from the navigation panel.
6. Look for the unused access keys and choose Delete after confirming the access key ID.
Using the AWS CLI:
If you want to use the AWS CLI instead, here’s how to find and remove unused access keys that way:
1. Use the following command to get a list of access keys:
You can specify showing the access keys of a certain user by adding the --user-name <user name> filter. If you don’t specify a user, it will use the user associated with signing the request.
Here’s an example:
The output should look like this:
Now that you have the access key ID, you can check when it was last used.
2. Use the following command to find information about the usage of an access key:
The command uses the Access key ID to return information about the LastUsedDate, and the Region, meaning the location where the key was last used. It will also return the ServiceName of the last requested service.
If the LastUsedDate is missing, the access key hasn’t been utilized since at least April 22,2015, when IAM began tracking access key usage.
3. Remove the unused access key by using the following command:
Remove Unused Access Keys Automatically with Blink
Running this check for unused access keys manually requires time and context-switching. You could try to automate it with a script, but if it breaks, it might need to be rewritten over time.
With Blink, you can easily create an automation that handles this check and sends unused access keys to you in a Slack message so you can approve their removal.
Create your free Blink account today and strengthen your AWS security today.