Skip to content
This AWS Lambda uses Boto3 to pull information on AWS IAM Access Keys
Branch: master
Clone or download
Latest commit 3139ef2 Jul 3, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Add license Jun 22, 2019 Corrected typos Jul 3, 2019
cf_access_key_lambda.yaml Fixed error with CF template Jun 26, 2019 Modified query_access_key Jul 3, 2019

AWS Access Key Report

This Lambda queries an AWS account for a listing of all AWS IAM User access keys, their ages, and information on their last usage.

What problem does this solve?

AWS IAM User access keys and secret keys are used to provide 3rd party access to AWS resources when AWS IAM Roles are not an option. Managing the lifecycle of the keys can difficult and often leads to stale keys which are never rotated or disabled which creates a security risk. While Credential Reports provides some of this information, it is user centric verus key centric. It also does not provide the key IDs which creates more work to determine which key needs to be rotated.

The script queries the AWS IAM API to pull a listing of AWS IAM Users from an account, queries for a listing of the access keys each account has provisioned, and then pulls metadata about each key including the creation date, the last date the key was used, and more. The data is outputed to a variable in CSV format and written to an S3 bucket.


Python Runtime and Modules

AWS Permissions Requirement

  • IAM:ListUsers
  • IAM:ListAccessKeys
  • IAM:GetAccessKeyLastUsed
  • S3:PutObject (only required for user specific S3 prefix)


The can be pushed using the provided CloudFormation template. The code must be placed into a ZIP file and placed on an S3 bucket the user creating the CloudFormation stack.

You can’t perform that action at this time.