Unless there is a requirement for programmatic access, the access keys should not be created for an IAM user as these additional set of credentials increase the attack surface of the AWS account. If there are active access keys created for IAM users in the AWS account that are not being actively used or are not required at all, then those keys should be either deactivated or removed completely.
When not sure whether an access key is being used somewhere or not, deleting it right away can cause accessibility issues. In such case it is better to deactivate the key first and once you are sure that there is no dependency, the key can be deleted.
In this article we will take a look at how to deactivate the Access key for an IAM user using AWS CLI.
Following are the steps to deactivate the Access key for an IAM user using AWS CLI:
To list the IAM users, run the following command
aws iam list-users
For a selected user from the list, check their list of Access keys by running the following command. It provides a list of Access keys for a user along with key status
aws iam list-access-keys --user-name <IAM_username>
If the Access key is not required, deactivate it by running the following command
aws iam update-access-key --access-key-id <Access_Key_ID> --status Inactive --user-name <IAM_username>
To check if the key has been successfully deactivated, run command in step 2 again as following
aws iam list-access-keys --user-name <IAM_username>