Skip to main content

IAM User Unused Access Keys

Overview

This check identifies IAM user access keys that have not been used for more than 45 days. Access keys are long-lived credentials that allow programmatic access to your AWS account. When keys sit unused, they become a security liability.

Risk

Unused access keys that remain active pose significant security risks:

  • Forgotten backdoors: Unused keys may be forgotten but still work, creating unmonitored entry points
  • Credential theft: If an old key is compromised (leaked in code, stolen from a backup), attackers can use it immediately
  • Audit blind spots: Unused keys make it harder to track who has access to your account
  • Compliance violations: Many security frameworks require regular credential rotation and removal of unused credentials

Remediation Steps

Prerequisites

You need permission to manage IAM users and their access keys. Typically, this means having the IAMFullAccess policy or equivalent permissions.

AWS Console Method

  1. Sign in to the AWS Management Console
  2. Navigate to IAM (search for "IAM" in the top search bar)
  3. In the left sidebar, click Users
  4. Click on the username flagged in the Prowler finding
  5. Select the Security credentials tab
  6. Scroll down to the Access keys section
  7. For each unused key older than 45 days:
    • First, deactivate the key by clicking Make inactive (this is reversible)
    • Wait a few days to confirm nothing breaks
    • Then delete the key by clicking Delete (this is permanent)
  8. Repeat for any other affected users

Tip: Before deactivating a key, check the "Last used" column. If it shows "N/A" or a date more than 45 days ago, the key is a candidate for removal.

AWS CLI (optional)

List Access Keys for a User

aws iam list-access-keys \
    --user-name <USER_NAME> \
    --region us-east-1

Check When a Key Was Last Used

aws iam get-access-key-last-used \
    --access-key-id <ACCESS_KEY_ID> \
    --region us-east-1

Deactivate an Unused Key

Deactivating is safer than deleting immediately, as you can reactivate if needed:

aws iam update-access-key \
    --user-name <USER_NAME> \
    --access-key-id <ACCESS_KEY_ID> \
    --status Inactive \
    --region us-east-1

Delete an Access Key (Permanent)

Only do this after confirming the key is truly unused:

aws iam delete-access-key \
    --user-name <USER_NAME> \
    --access-key-id <ACCESS_KEY_ID> \
    --region us-east-1

Script: Find All Unused Keys Across All Users

This script lists all access keys unused for more than 45 days:

#!/bin/bash
THRESHOLD_DAYS=45
THRESHOLD_DATE=$(date -d "-${THRESHOLD_DAYS} days" +%Y-%m-%d 2>/dev/null || date -v-${THRESHOLD_DAYS}d +%Y-%m-%d)

for user in $(aws iam list-users --query 'Users[*].UserName' --output text --region us-east-1); do
    for key_id in $(aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[?Status==`Active`].AccessKeyId' --output text --region us-east-1); do
        last_used=$(aws iam get-access-key-last-used --access-key-id "$key_id" --query 'AccessKeyLastUsed.LastUsedDate' --output text --region us-east-1)
        if [[ "$last_used" == "None" ]] || [[ "$last_used" < "$THRESHOLD_DATE" ]]; then
            echo "User: $user, KeyId: $key_id, LastUsed: $last_used"
        fi
    done
done
CloudFormation (optional)

CloudFormation does not directly manage the lifecycle of existing access keys. However, you can use CloudFormation to set up automated detection and alerting using AWS Config.

AWS Config Rule for Unused Access Keys

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Config rule to detect unused IAM access keys

Resources:
  UnusedAccessKeyRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: iam-user-unused-credentials-check
      Description: Checks whether IAM users have unused credentials older than the specified age
      Source:
        Owner: AWS
        SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
      InputParameters:
        maxCredentialUsageAge: '45'
      MaximumExecutionFrequency: TwentyFour_Hours

Outputs:
  ConfigRuleArn:
    Description: ARN of the Config rule
    Value: !GetAtt UnusedAccessKeyRule.Arn

Note: This template creates a detection rule, not automatic remediation. You will still need to manually deactivate or delete flagged keys.

Terraform (optional)

Like CloudFormation, Terraform can set up detection but not automatically remediate existing keys. Here is an AWS Config rule for ongoing monitoring:

AWS Config Rule

resource "aws_config_config_rule" "iam_unused_credentials" {
  name        = "iam-user-unused-credentials-check"
  description = "Checks whether IAM users have unused credentials older than 45 days"

  source {
    owner             = "AWS"
    source_identifier = "IAM_USER_UNUSED_CREDENTIALS_CHECK"
  }

  input_parameters = jsonencode({
    maxCredentialUsageAge = "45"
  })

  maximum_execution_frequency = "TwentyFour_Hours"

  depends_on = [aws_config_configuration_recorder.main]
}

Note: Ensure you have an AWS Config recorder enabled in your account before deploying this rule.

Verification

After deactivating or deleting unused keys:

  1. Return to the IAM Console > Users > [Username] > Security credentials
  2. Confirm the key status shows Inactive or the key is no longer listed
  3. Re-run the Prowler check to confirm the finding is resolved:
Verification commands
# Re-run Prowler for this specific check
prowler aws --check iam_user_accesskey_unused --region us-east-1

# Or verify via CLI that the key is inactive/deleted
aws iam list-access-keys \
    --user-name <USER_NAME> \
    --query 'AccessKeyMetadata[*].[AccessKeyId,Status,CreateDate]' \
    --output table \
    --region us-east-1

Additional Resources

Notes

  • Deactivate before deleting: Always deactivate a key first and wait a few days before permanently deleting it. This gives you a safety net if an application was secretly using the key.
  • Coordinate with key owners: Before removing keys, try to identify who created them and what they were used for. Check CloudTrail logs for the key's usage history.
  • Consider IAM roles instead: For applications running on AWS (EC2, Lambda, ECS), prefer IAM roles over access keys. Roles provide temporary credentials that rotate automatically.
  • Set up ongoing monitoring: Use AWS Config (shown above) or AWS IAM Access Analyzer to continuously monitor for unused credentials.
  • Document your key rotation policy: Establish a clear policy for key rotation (e.g., every 90 days) and communicate it to your team.