Menu
AWS Identity and Access Management
User Guide

Finding Unused Credentials

When users leave your organization or services are no longer used, it is important to find the credentials that they were using and ensure that they are no longer operational. Ideally, you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least you should change the credentials so that the former users no longer have access.

Of course, the definition of "unused" can vary and usually means a credential that has not been used within a specified period of time.

Finding Unused Passwords

You can use the AWS Management Console to download a credential report with information about when each user last used their console password. You can also access the information from the AWS CLI, Tools for Windows PowerShell, or the IAM API.

To find unused passwords by downloading the credentials report in the IAM console

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Credential report.

  3. Choose Download Report to download a comma-separated value (CSV) file named status_reports_<date>T<time>.csv. The fifth column contains the password_last_used column with the dates or one of the following:

    • N/A – Users that do not have a password assigned at all.

    • no_information – Users that have not used their password since IAM began tracking password age on October 20, 2014.

To find unused passwords from the AWS CLI, Tools for Windows PowerShell and IAM API

You can use the following commands to find unused passwords:

  • AWS CLI: aws iam list-users returns a list of users, each with a PasswordLastUsed value. If the value is missing, then the user either has no password or the password has not been used since IAM began tracking password age on October 20, 2014.

  • Tools for Windows PowerShell: Get-IAMUsers returns a collection of User objects, each of which has a PasswordLastUsed property. If the property value is 1/1/0001 12:00:00 AM, then the user either has no password or the password has not been used since IAM began tracking password age on October 20, 2014.

  • IAM API: ListUsers returns a collection of users, each of which has a <PasswordLastUsed> value. If the value is missing, then the user either has no password or the password has not been used since IAM began tracking password age on October 20, 2014.

    For information about the commands to download the credentials report, see Getting Credential Reports (AWS CLI, Tools for Windows PowerShell, or IAM API).

Finding unused access keys

You can use the AWS Management Console to download a credentials report to find when each user last used their access keys. You can also access the information from the AWS CLI, Tools for Windows PowerShell, or the IAM API.

To find unused access keys by downloading the credentials report in the IAM console

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Credential Report.

  3. Choose Download Report to download a comma-separated value (CSV) file named status_reports_<date>T<time>.csv. Columns 11 thru 13 contain the last used date, region, and service information for access key 1, and columns 16 thru 18 contain the same information for access key 2. The value is N/A if the user does not have an access key or the user has not used the access key since IAM began tracking access key age on April 22, 2015.

To find unused access keys from the AWS CLI, Tools for Windows PowerShell and IAM API

You can use the following commands to find unused access keys:

  • AWS CLI:

    • aws iam list-access-keys returns information about the access keys for a user, including the AccessKeyID.

    • aws iam get-access-key-last-used takes an access key ID and returns output that includes the LastUsedDate, the Region in which the access key was last used, and the ServiceName of the last service requested. If the LastUsedDate field is missing, then the access key has not been used since IAM began tracking access key age on April 22, 2015.

  • Tools for Windows PowerShell:

    • Get-IAMAccessKey returns a collection of access key objects associated with the specified user. Each object has an AccessKeyId property.

    • Get-IAMAccessKeyLastUsed takes an access key ID and returns an object with an AccessKeyLastUsed property object. The methods of that object include the LastUsedDate, the Region in which the access key was last used, and the ServiceName of the last service requested. If the property value is 1/1/0001 12:00:00 AM, then the access key has not been used since IAM began tracking access key age on April 22, 2015.

  • IAM API:

    • ListAccessKeys returns a list of AccessKeyID values for access keys that are associated with the specified user.

    • GetAccessKeyLastUsed takes an access key ID and returns a collection of values. Included are the LastUsedDate, the Region in which the access key was last used, and the ServiceName of the last service requested. If the value is missing, then user either has no access key or the access key has not been used since IAM began tracking access key age on October 20, 2014.

    For information about the commands to download the credentials report, see Getting Credential Reports (AWS CLI, Tools for Windows PowerShell, or IAM API)