Skip to main content

How to Find AWS IAM Access Keys Not Rotated Within 90 Days

Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS.

AWS users need their own access keys to make programmatic calls to AWS from:

  • the AWS Command Line Interface (AWS CLI),
  • Tools for Windows PowerShell,
  • the AWS SDKs,
  • or direct HTTP calls using the APIs for individual AWS services.

It is recommended that all access keys be regularly rotated.


This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.


This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.


  1. Execute the following search command in Fix Inventory Shell:

    > search is(aws_iam_access_key) and access_key_last_used.last_rotated<-90d
    ​kind=aws_iam_access_key, ..., region=fixinventory-poweruser
    ​kind=aws_iam_access_key, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_iam_access_key) and access_key_last_used.last_rotated<-90d | dump
    ​ id: /aws/iam/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_iam_access_key
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_iam_access_key resources.


  • Remove all listed access keys.

Please refer to the AWS IAM documentation for details.

Further Reading