Remediating Old or Unused IAM Access Keys
Overview
This tutorial walks through rotating IAM access keys that are old (90+ days) or unused. Stale access keys are a security risk — if compromised, they provide persistent access to your AWS account. The remediation involves creating a new replacement key, deactivating the old key, and then deleting it once you've confirmed nothing depends on it.
Cost Impact: No direct cost savings. IAM access keys are free. However, rotating keys reduces security risk from compromised credentials, which can prevent costly breaches.
Prerequisites
- Access to the AWS Console
- IAM permissions to manage access keys (
iam:CreateAccessKey,iam:UpdateAccessKey,iam:DeleteAccessKey) - Knowledge of which applications or scripts use the key being rotated
- A secure location to store the new credentials (e.g., AWS Secrets Manager)
Step 1: Review the Existing Access Key
Navigate to the IAM user's Security credentials tab at: https://us-east-1.console.aws.amazon.com/iam/home#/users
Select the user whose key needs rotation, then click the Security credentials tab.
Under Access keys, you can see the key's creation date and last used date. Keys older than 90 days or unused for 90+ days should be rotated.
Step 2: Create a New Access Key
Click Create access key to generate a replacement key.
Select the appropriate use case for the access key. For most remediation scenarios, choose Application running outside AWS or Other.
Click Next.
Optionally add a description tag to track the rotation (e.g., "Rotated key - replaces AKIA..."). Click Create access key.
Important: Copy or download the new access key ID and secret access key now. This is the only time the secret key will be shown. Store it securely — for example, in AWS Secrets Manager.
Click Done when you've saved the credentials.
Step 3: Deactivate the Old Access Key
Before deleting the old key, deactivate it first. This lets you verify that nothing breaks before permanent removal.
Find the old key in the Access keys list. Click Actions → Make inactive (or click the status toggle). This immediately stops the key from authenticating, but keeps it available to reactivate if needed.
Confirm deactivation in the dialog. Wait a few days to verify no applications are impacted before deleting.
Step 4: Delete the Old Access Key
Once you've confirmed nothing depends on the old key, delete it permanently. Click Actions → Delete next to the old key.
Type the access key ID in the confirmation field and click Delete. This action is irreversible.
Verification
Return to the user's Security credentials tab. The user now has only one active access key — the newly created one. The old key has been deleted.
Update any applications or scripts that used the old key with the new credentials stored in Secrets Manager.
Alternative Approaches
CLI Rotation
Use the AWS CLI for scripted rotation:
# Create new key
aws iam create-access-key --user-name <username>
# Deactivate old key
aws iam update-access-key --user-name <username> --access-key-id AKIAXXXXXXXXXXXXXXXX --status Inactive
# Delete old key (after verification period)
aws iam delete-access-key --user-name <username> --access-key-id AKIAXXXXXXXXXXXXXXXX
Automatic Rotation
Set up AWS Secrets Manager automatic rotation with a Lambda function to rotate keys on a schedule. This eliminates the manual rotation burden entirely.
Eliminate Keys Entirely
Migrate to IAM roles with temporary credentials (STS AssumeRole) where possible. This is the most secure approach and eliminates the rotation burden completely.
Summary
- Security impact: Eliminates risk from stale credentials
- Best practice: Rotate keys every 90 days or less
- Recommended approach: Migrate to IAM roles with temporary credentials where possible
- Always deactivate before deleting to avoid disrupting running applications