An IAM user can have an Access Key and a Secret Key that can then be used to perform actions using the AWS CLI or programmatically. Each user is allowed to generate 2 sets of Access keys.
IAM user access keys that are not being used should be removed. Having numerous unused access keys extends the attack surface. These keys provide the same level of access as the user’s credentials, therefore, based on the permissions the user has been assigned, a key theft or leakage incident may result in a platform wide compromise.
In this article, we will provide a step by step walkthrough of how to remove the Access key for an IAM user using AWS CLI.
Note: Before removing an Access key make sure it is not being used anywhere currently so that you can ensure that no application or access is broken due to key deletion.
Following are the steps to remove the Access key for an IAM user using AWS CLI:
To list the IAM users, run the following command
aws iam list-users
For a selected user from the list, check their list of Access keys by running the following command. It provides a list of Access keys for a user along with key status. Note down the Access key ID of the key that you want to remove
aws iam list-access-keys --user-name <IAM_username>
(Optional) If you are not sure whether the Access key is being used anywhere or not, you can deactivate the key initially and delete it once you are sure that it is not in use. To deactivate the Access key, run following command
aws iam update-access-key --access-key-id <Access_Key_ID> --status Inactive --user-name <IAM_username>
Once you are sure that the Access key is not required, run following command to remove the Access key
aws iam delete-access-key --access-key-id <Access_Key_ID> --user-name <IAM_username>