IAM User Has At Most One Active Access Key
Overview
This check identifies IAM users who have two active access keys at the same time. AWS allows each user to have up to two access keys, but best practice is to keep only one active at a time.
Risk
Having two active access keys creates unnecessary security exposure:
- Leaked credentials: If one key is compromised, attackers can access your AWS resources via API calls, potentially stealing data or modifying infrastructure.
- Rotation difficulties: Managing multiple active keys makes credential rotation error-prone. An attacker could maintain access if one key goes undetected during deactivation.
- Audit challenges: Tracking which key is being used for what purpose becomes difficult with multiple active keys.
Remediation Steps
Prerequisites
You need:
- Access to the AWS Console with IAM permissions, OR
- AWS CLI configured with credentials that can manage IAM access keys
AWS Console Method
- Sign in to the AWS Console and go to IAM.
- In the left sidebar, click Users.
- Select the user who has two active access keys.
- Click the Security credentials tab.
- Scroll down to the Access keys section. You will see two keys with status "Active".
- Decide which key to deactivate (typically the older one, unless you know it is still in use).
- Click Actions next to the key you want to deactivate, then select Deactivate.
- Confirm the deactivation when prompted.
- (Optional) After confirming the key is no longer needed, click Actions > Delete to permanently remove it.
Important: Before deactivating a key, ensure it is not actively being used by applications or scripts. Check with your team or review CloudTrail logs to verify.
AWS CLI (optional)
List Access Keys for a User
First, identify the access keys for the affected user:
aws iam list-access-keys \
--user-name <IAM_USER_NAME> \
--region us-east-1
This returns output like:
{
"AccessKeyMetadata": [
{
"UserName": "example-user",
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
"Status": "Active",
"CreateDate": "2024-01-15T10:30:00Z"
},
{
"UserName": "example-user",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE",
"Status": "Active",
"CreateDate": "2025-06-20T14:45:00Z"
}
]
}
Deactivate an Access Key
To deactivate one of the keys:
aws iam update-access-key \
--user-name <IAM_USER_NAME> \
--access-key-id <ACCESS_KEY_ID> \
--status Inactive \
--region us-east-1
Replace:
<IAM_USER_NAME>with the actual username (e.g.,example-user)<ACCESS_KEY_ID>with the key ID to deactivate (e.g.,AKIAIOSFODNN7EXAMPLE)
Delete an Access Key (after confirming it is unused)
Once you have verified the deactivated key is no longer needed:
aws iam delete-access-key \
--user-name <IAM_USER_NAME> \
--access-key-id <ACCESS_KEY_ID> \
--region us-east-1
CloudFormation (optional)
CloudFormation does not directly manage existing access keys for IAM users. Access key lifecycle management is typically handled through operational procedures rather than infrastructure-as-code.
However, you can define IAM users with a single access key in CloudFormation to prevent this issue for new users:
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM user with a single access key
Resources:
MyIAMUser:
Type: AWS::IAM::User
Properties:
UserName: my-application-user
Path: /
MyAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName: !Ref MyIAMUser
Status: Active
Outputs:
AccessKeyId:
Description: Access Key ID
Value: !Ref MyAccessKey
SecretAccessKey:
Description: Secret Access Key (store securely)
Value: !GetAtt MyAccessKey.SecretAccessKey
Note: For production use, store the secret access key in AWS Secrets Manager rather than outputting it directly.
Terraform (optional)
Like CloudFormation, Terraform cannot directly remediate existing access keys. However, you can define users with a single access key:
resource "aws_iam_user" "application_user" {
name = "my-application-user"
path = "/"
}
resource "aws_iam_access_key" "user_key" {
user = aws_iam_user.application_user.name
}
# Store the secret in AWS Secrets Manager
resource "aws_secretsmanager_secret" "access_key_secret" {
name = "my-application-user-access-key"
}
resource "aws_secretsmanager_secret_version" "access_key_secret_version" {
secret_id = aws_secretsmanager_secret.access_key_secret.id
secret_string = jsonencode({
access_key_id = aws_iam_access_key.user_key.id
secret_access_key = aws_iam_access_key.user_key.secret
})
}
Best Practice: Consider using IAM roles with temporary credentials instead of long-lived access keys whenever possible.
Verification
After remediation, verify the user has only one active access key:
- In the AWS Console, navigate to IAM > Users > select the user > Security credentials tab.
- Under Access keys, confirm only one key shows status "Active".
CLI verification
aws iam list-access-keys \
--user-name <IAM_USER_NAME> \
--region us-east-1 \
--query "AccessKeyMetadata[?Status=='Active']"
The output should show only one active key.
Additional Resources
- Managing Access Keys (AWS Documentation)
- Rotating Access Keys
- ListAccessKeys API Reference
- AWS Security Best Practices
Notes
- Key rotation overlap: It is acceptable to have two active keys briefly during a key rotation. The process is: create new key, update applications to use new key, verify new key works, then deactivate and delete the old key.
- Prefer IAM roles: Where possible, use IAM roles with temporary credentials (via STS) instead of long-lived access keys. This eliminates the need for key rotation entirely.
- Monitor key usage: Use AWS CloudTrail to track which access keys are being used. This helps identify unused keys that can be safely removed.
- Automation considerations: If access keys are used by automated systems, coordinate with application owners before deactivating keys to avoid service disruptions.