Automating Deactivation of Inactive AWS Access Keys

It is a best practice in AWS to deactivate Access Keys that haven't been used in 90 days. In theory this doesn't happen all that often and when it does it is a quick clean up, but it also lends itself to some automation.

I looked for a decent script that did this for me, but couldn't find one. So I threw one together.

#!/bin/bash

ninety_days_ago=`date -j -v-90d +%Y-%m-%d`
users_list=`aws iam list-users | jq -r --arg ninety_days_ago "$ninety_days_ago" '.Users[] | select(.CreateDate < $ninety_days_ago) | .UserName'`

for user in  $users_list
do
	days_since_last_used=""
	access_keys=`aws iam list-access-keys --user-name $user | jq -r --arg ninety_days_ago "$ninety_days_ago" '.AccessKeyMetadata[] | select(.CreateDate < $ninety_days_ago) | select(.Status == "Active") | .AccessKeyId'`
	for access_key_id in $access_keys
	do	
		access_key_last_used=`aws iam get-access-key-last-used --access-key-id $access_key_id | jq -r --arg ninety_days_ago "$ninety_days_ago" '.AccessKeyLastUsed | select(.LastUsedDate < $ninety_days_ago) | .LastUsedDate'`

		if [ ! -z "$access_key_last_used" ]; then
			aws iam update-access-key --user-name $user --access-key-id $access_key_id --status Inactive
		    echo "Deactivated $user"
		fi
	done
done

It requires that you have jq and dateutils installed (as well as the AWS CLI with sufficient permissions), but other than that it should be rip and run.

Tags

Automating Deactivation of Inactive AWS Access Keys

Nick Jordan

Automating Deactivation of Inactive AWS Access Keys

Nick Jordan

Forcing SSL on all S3 Buckets

FLoC, SortingLSH, and Gray Codes

Simplifying using the AWS CLI with MFA