New in IAM: Quickly Identify When an Access Key Was Last Used

Rotate access keys regularly and remove inactive users. You’ve probably heard us mention these as two AWS Identity and Access Management (IAM) security best practices. But how do you know when access keys (for an IAM user or the root account) are no longer in use and safe to delete? To help you answer this question, IAM now reports the time stamp when access keys were last used along with the region and the AWS service that was accessed. These details complement password last used data to provide a more thorough picture of when an IAM user or root account was last active, which enable you to rotate old keys and remove inactive users with greater confidence. You can view access key last used data interactively in the IAM console, programmatically via the API/CLI/SDK, or in the contents of an IAM credential report.

This blog post will show you how to determine when an IAM user’s or root account’s access keys were last used and how to download a snapshot of access key last used information for your entire account. 

View an IAM user’s access key last used information

From the IAM console, you can find a user’s access key last used details by clicking Users in the navigation pane. When you click an individual user name, access key last used details are now included in the Security Credentials section (the bottommost pane containing information about the user’s access keys, password, and multi-factor authentication [MFA] device), as shown in the following screenshot. If the user has two access keys, last used details for both keys are displayed.

If you want to know when the root account’s access keys were last used, click your account name in the upper right-hand corner of the navigation bar, and then click Security Credentials in the dropdown. On the Your Security Credentials page, click Access Keys (Access Key ID and Secret Access Key) to view root access key last used details, as shown in the following screenshot. As a security best practice, though, AWS recommends that you avoid using root keys, and instead rely on IAM user keys or temporary security credentials.

Download an access key last used snapshot for your entire account

If you want to view when all access keys in your account were last used, you can download an IAM credential report. This report is a snapshot of your IAM users and root account. The report contains details about their security credentials, such as whether MFA is activated, when passwords were last rotated, and—now—access key last used information. You can download credential reports from the IAM console by clicking Credential Report in the navigation pane and then clicking Download Report (see the following screenshot), or by programmatically using the IAM API or AWS CLI.

With access key last used details now at your fingertips, you can quickly identify old keys and have more peace of mind about when it is safe to rotate keys or remove inactive users. At times, you might want to examine usage patterns in more detail for a specific access key, such as if a key was inadvertently shared at some point. We recommend that you turn on AWS CloudTrail because information in the CloudTrail logs can be helpful for this kind of assessment.

To learn more about the access key last used feature, see the IAM User Guide and the IAM API reference. Also, feel free to post questions and feature requests on the IAM forum.

- Kai Zhao, Product Manager, AWS Identity and Access Management

Comments