Open menu
-->

Unused AWS IAM Access Keys

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Identify and remove any unused IAM access keys in order to protect your AWS resources against unapproved access. An IAM user access key pair is rendered as unused when is not being used for a specified period of time - in this case 30 days.

This rule resolution is part of the Cloud Conformity Security Package

Removing unused AWS IAM credentials can significantly reduce the risk of unauthorized access to your AWS resources. Ideally, you will want to restrict access to your resources for IAM users who leave your organization or applications and tools that are no longer using these resources.

Audit

To determine if your AWS IAM users have any unused (> 30 days) access keys currently active, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Under Access Keys section, in the Last Used column:

Under Access Keys section, in the Last Used column

check the timestamp when each active key was last used by an AWS service or application. If an active access key last used timestamp date

If an active access key last used timestamp date

is older than 30 days, the key is no longer in use and you can safely delete it to secure the access to your AWS resources.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users within your account:

aws iam list-users --query 'Users[*].UserName'

02 The command output should return an array that contains all your IAM user names:

[
	"ec2-manager",
	...
	"aws-emr-manager"
]

03 Run list-access-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to return each access key metadata (ID, status, creation date, etc):

aws iam list-access-keys --user-name ec2-manager

04 The command output should expose the metadata for each access key created for the selected IAM user:

{
	"AccessKeyMetadata": [
		{
			"UserName": "ec2-manager",
			"Status": "Active",
			"CreateDate": "2015-05-17T08:48:35Z",
			"AccessKeyId": "AAAABBBBCCCCDDDDEEEE"
		},
		{
			"UserName": "ec2-manager",
			"Status": "Active",
			"CreateDate": "2016-01-20T07:55:33Z",
			"AccessKeyId": "EEEEDDDDCCCCBBBBAAAA"
		}
	]
}

05 Run get-access-key-last-used command (OSX/Linux/UNIX) using the active key ID (returned at the previous step) as command parameter to determine when the selected key was the last time used:

aws iam get-access-key-last-used --access-key-id AAAABBBBCCCCDDDDEEEE

06 The command output should return the date and time of last use (highlighted), the AWS region and the service that used the key last time:

{
	"UserName":  "ec2-manager",
	"AccessKeyLastUsed": {
		"Region": "N/A",
		"ServiceName": "s3",
		"LastUsedDate": "2015-09-22T08:09:00Z"
	}
}

Check the LastUsedDate property value to determine if the key last used date is older than 30 days. If the selected access key pair was not requested at all in the past month, the key is no longer in use and you can safely delete it to secure the access to your AWS resources.

07 Repeat steps no. 5 and 6 for each active access key associated with the selected IAM user.

08 Repeat steps no. 3 – 7 for each IAM user that you want to examine available in your AWS account.

Remediation / Resolution

To remove any unused (non-operational for more than 30 days) IAM access keys, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 In Access Keys section, identify any unused access key (see Audit section) and remove it by clicking the Delete link:

Delete link ccessible in the Actions column

accessible in the Actions column.

07 In the Delete Access Key confirmation box, click Delete to remove the selected key.

08 Repeat steps no. 4 – 7 for each IAM user that has unused access keys, available in your AWS account.

Using AWS CLI

01 Run delete-access-key command (OSX/Linux/UNIX) to remove the unused active access key pair for the selected IAM user. See the Audit section part II (AWS CLI) to identify any unused access keys. The following command example removes an access key with the ID AAAABBBBCCCCDDDDEEEE for an IAM user with the name ec2-manager (if successful, the command does not produce any output):

aws iam delete-access-key
	--access-key AAAABBBBCCCCDDDDEEEE
	--user-name ec2-manager

02 Repeat step no. 1 for each unused (idle for more than 30 days) access key pairs, assigned to the selected user. Repeat the process for each IAM user with unused access keys.

References

Publication date May 16, 2016