Automating Deactivation of Inactive AWS Access Keys

Nick Jordan -

It is a best practice in AWS to deactivate Access Keys that haven't been used in 90 days.  In theory this doesn't happen all that often and when it does it is a quick clean up, but it also lends itself to some automation.  

I looked for a decent script that did this for me, but couldn't find one.  So I threw one together.

#!/bin/bash

ninety_days_ago=`date -j -v-90d +%Y-%m-%d`
users_list=`aws iam list-users | jq -r --arg ninety_days_ago "$ninety_days_ago" '.Users[] | select(.CreateDate < $ninety_days_ago) | .UserName'`

for user in  $users_list
do
	days_since_last_used=""
	access_keys=`aws iam list-access-keys --user-name $user | jq -r --arg ninety_days_ago "$ninety_days_ago" '.AccessKeyMetadata[] | select(.CreateDate < $ninety_days_ago) | select(.Status == "Active") | .AccessKeyId'`
	for access_key_id in $access_keys
	do	
		access_key_last_used=`aws iam get-access-key-last-used --access-key-id $access_key_id | jq -r --arg ninety_days_ago "$ninety_days_ago" '.AccessKeyLastUsed | select(.LastUsedDate < $ninety_days_ago) | .LastUsedDate'`

		if [ ! -z "$access_key_last_used" ]; then
			aws iam update-access-key --user-name $user --access-key-id $access_key_id --status Inactive
		    echo "Deactivated $user"
		fi
	done
done

It requires that you have jq and dateutils installed (as well as the AWS CLI with sufficient permissions), but other than that it should be rip and run.