Unused IAM Access keys

Securing AWS Cloud – Unused IAM Access Keys removal

By: Aseem Rastogi | 5 Aug 2018

Unused IAM Access Keys removal

Access Keys are used for accessing AWS environment via APIs. Unused IAM access keys are a security risk they increase the attack surface.

Following compliance controls may be fulfilled by removing unused access keys –

  • ISO 27001 – A.9.2.4 – Management of secret authentication information of users
  • HIPAA 164.308(a)(5)(ii)(D) – Procedures for creating, changing, and safeguarding passwords.

Unused IAM access keys may result in compromised account or even takeover. It is strongly recommended to audit AWS account periodically and ensure proper configuration.

How to Audit AWS Account for Unused Access Keys

  1. Login to AWS console, in IAM service select “Users”
  2. Click on the username you want to audit (#2 in screen below)
IAM Access Key Rotation
IAM Access Key Rotation
  1. In the next panel, open “Security Credentials” tab
IAM Access Key Rotation
IAM Access Key Rotation
  1. Examine the column “Last Used” and ensure that last used date is does not say N/A. If it says N/A then this has never been used hence this is unused key.
  2. This procedure needs to be repeated for all the users present in AWS account
Unused IAM Access Key
Unused IAM Access Key


To remediate deactivate unused access keys.

To keep AWS environment secure & in compliance with regulation above steps need to be repeated as often there is a change in AWS infrastructure. Ask us how can we help in keeping a constant watch, or request a free trial.