Generate credential reports for your AWS account
You can generate and download a credential report that lists all users
in your account and the status of their various credentials, including passwords, access keys,
and MFA devices. You can get a credential report from the AWS Management Console, the AWS SDKs
You can use credential reports to assist in your auditing and compliance efforts. You can use the report to audit the effects of credential lifecycle requirements, such as password and access key updates. You can provide the report to an external auditor, or grant permissions to an auditor so that he or she can download the report directly.
You can generate a credential report as often as once every four hours. When you request a report, IAM first checks whether a report for the AWS account has been generated within the past four hours. If so, the most recent report is downloaded. If the most recent report for the account is older than four hours, or if there are no previous reports for the account, IAM generates and downloads a new report.
Topics
Required permissions
The following permissions are needed to create and download reports:
-
To create a credential report:
iam:GenerateCredentialReport
-
To download the report:
iam:GetCredentialReport
Understanding the report format
Credential reports are formatted as comma-separated values (CSV) files. You can open CSV files with common spreadsheet software to perform analysis, or you can build an application that consumes the CSV files programmatically and performs custom analysis.
The CSV file contains the following columns:
- user
-
The friendly name of the user.
- arn
-
The Amazon Resource Name (ARN) of the user. For more information about ARNs, see IAM ARNs.
- user_creation_time
-
The date and time when the user was created, in ISO 8601 date-time format
. - password_enabled
-
When the user has a password, this value is
TRUE
. Otherwise it isFALSE
. - password_last_used
-
The date and time when the AWS account root user or user's password was last used to sign in to an AWS website, in ISO 8601 date-time format
. AWS websites that capture a user's last sign-in time are the AWS Management Console, the AWS Discussion Forums, and the AWS Marketplace. When a password is used more than once in a 5-minute span, only the first use is recorded in this field. -
The value in this field is
no_information
in these cases:-
The user's password has never been used.
-
There is no sign-in data associated with the password, such as when user's password has not been used after IAM started tracking this information on October 20, 2014.
-
-
The value in this field is
N/A
(not applicable) when the user does not have a password.
-
Important
Due to a service issue, password last used data does not include password use from May 3rd 2018 22:50 PDT to May 23rd 2018 14:08 PDT. This affects last sign-in dates shown in the IAM console and password last used dates in the IAM credential report, and returned by the GetUser API operation. If users signed in during the affected time, the password last used date that is returned is the date the user last signed in before May 3rd 2018. For users that signed in after May 23rd 2018 14:08 PDT, the returned password last used date is accurate.
If you use password last used information to identify unused credentials for deletion, such as deleting users who did not sign in to AWS in the last 90 days, we recommend that you adjust your evaluation window to include dates after May 23rd 2018. Alternatively, if your users use access keys to access AWS programmatically you can refer to access key last used information because it is accurate for all dates.
- password_last_changed
-
The date and time when the user's password was last set, in ISO 8601 date-time format
. If the user does not have a password, the value in this field is N/A
(not applicable). - password_next_rotation
-
When the account has a password policy that requires password rotation, this field contains the date and time, in ISO 8601 date-time format
, when the user is required to set a new password. The value for the AWS account (root) is always not_supported
. - mfa_active
-
When a multi-factor authentication (MFA) device has been enabled for the user, this value is
TRUE
. Otherwise it isFALSE
. - access_key_1_active
-
When the user has an access key and the access key's status is
Active
, this value isTRUE
. Otherwise it isFALSE
. Applies to both account root user and IAM users. - access_key_1_last_rotated
-
The date and time, in ISO 8601 date-time format
, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A
(not applicable). Applies to both account root user and IAM users. - access_key_1_last_used_date
-
The date and time, in ISO 8601 date-time format
, when the user's access key was most recently used to sign an AWS API request. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users. The value in this field is
N/A
(not applicable) in these cases:-
The user does not have an access key.
-
The access key has never been used.
-
The access key has not been used after IAM started tracking this information on April 22, 2015.
-
- access_key_1_last_used_region
-
The AWS Region in which the access key was most recently used. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users.
The value in this field is
N/A
(not applicable) in these cases:-
The user does not have an access key.
-
The access key has never been used.
-
The access key was last used before IAM started tracking this information on April 22, 2015.
-
The last used service is not Region-specific, such as Amazon S3.
-
- access_key_1_last_used_service
-
The AWS service that was most recently accessed with the access key. The value in this field uses the service's namespace—for example,
s3
for Amazon S3 andec2
for Amazon EC2. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users.The value in this field is
N/A
(not applicable) in these cases:-
The user does not have an access key.
-
The access key has never been used.
-
The access key was last used before IAM started tracking this information on April 22, 2015.
-
- access_key_2_active
-
When the user has a second access key and the second key's status is
Active
, this value isTRUE
. Otherwise it isFALSE
. Applies to both account root user and IAM users.Note
Users can have up to two access keys, to make rotation easier by updating the key first and then deleting the previous key. For more information about updating access keys, see Update access keys.
- access_key_2_last_rotated
-
The date and time, in ISO 8601 date-time format
, when the user's second access key was created or last updated. If the user does not have a second active access key, the value in this field is N/A
(not applicable). Applies to both account root user and IAM users. - access_key_2_last_used_date
-
The date and time, in ISO 8601 date-time format
, when the user's second access key was most recently used to sign an AWS API request. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users. The value in this field is
N/A
(not applicable) in these cases:-
The user does not have a second access key.
-
The user's second access key has never been used.
-
The user's second access key was last used before IAM started tracking this information on April 22, 2015.
-
- access_key_2_last_used_region
-
The AWS Region in which the user's second access key was most recently used. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users. The value in this field is
N/A
(not applicable) in these cases:-
The user does not have a second access key.
-
The user's second access key has never been used.
-
The user's second access key was last used before IAM started tracking this information on April 22, 2015.
-
The last used service is not Region-specific, such as Amazon S3.
-
- access_key_2_last_used_service
-
The AWS service that was most recently accessed with the user's second access key. The value in this field uses the service's namespace—for example,
s3
for Amazon S3 andec2
for Amazon EC2. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users. The value in this field isN/A
(not applicable) in these cases:-
The user does not have a second access key.
-
The user's second access key has never been used.
-
The user's second access key was last used before IAM started tracking this information on April 22, 2015.
-
- cert_1_active
-
When the user has an X.509 signing certificate and that certificate's status is
Active
, this value isTRUE
. Otherwise it isFALSE
. - cert_1_last_rotated
-
The date and time, in ISO 8601 date-time format
, when the user's signing certificate was created or last changed. If the user does not have an active signing certificate, the value in this field is N/A
(not applicable). - cert_2_active
-
When the user has a second X.509 signing certificate and that certificate's status is
Active
, this value isTRUE
. Otherwise it isFALSE
.Note
Users can have up to two X.509 signing certificates, to make certificate rotation easier.
- cert_2_last_rotated
-
The date and time, in ISO 8601 date-time format
, when the user's second signing certificate was created or last changed. If the user does not have a second active signing certificate, the value in this field is N/A
(not applicable).
Getting credential reports (console)
You can use the AWS Management Console to download a credential report as a comma-separated values (CSV) file.
To download a credential report (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Credential report.
-
Choose Download Report.
Getting credential reports (AWS CLI)
To download a credentials report (AWS CLI)
-
Generate a credentials report. AWS stores a single report. If a report exists, generating a credentials report overwrites the previous report.
aws iam generate-credential-report
-
View the last report that was generated:
aws iam get-credential-report
Getting credential reports (AWS API)
To download a credentials report (AWS API)
-
Generate a credentials report. AWS stores a single report. If a report exists, generating a credentials report overwrites the previous report.
GenerateCredentialReport
-
View the last report that was generated:
GetCredentialReport