How to remove the Access key of a user using AWS CLI

Pragti Chauhan

~ 2 min read

IAM user Access keys that are not being used should be removed. This article provides a step by step walkthrough of how to remove the Access key of an IAM user using AWS CLI.

Introduction

An IAM user can have an Access Key and a Secret Key that can then be used to perform actions using the AWS CLI or programmatically. Each user is allowed to generate 2 sets of Access keys.

IAM user access keys that are not being used should be removed. Having numerous unused access keys extends the attack surface. These keys provide the same level of access as the userโ€™s credentials, therefore, based on the permissions the user has been assigned, a key theft or leakage incident may result in a platform wide compromise.

In this article, we will provide a step by step walkthrough of how to remove the Access key for an IAM user using AWS CLI.

Note: Before removing an Access key make sure it is not being used anywhere currently so that you can ensure that no application or access is broken due to key deletion.

Remove the Access key for an IAM user via AWS CLI

Following are the steps to remove the Access key for an IAM user using AWS CLI:

  1. To list the IAM users, run the following command

    aws iam list-users

    List IAM Users

  2. For a selected user from the list, check their list of Access keys by running the following command. It provides a list of Access keys for a user along with key status. Note down the Access key ID of the key that you want to remove

    aws iam list-access-keys --user-name <IAM_username>

    List Access Keys

  3. (Optional) If you are not sure whether the Access key is being used anywhere or not, you can deactivate the key initially and delete it once you are sure that it is not in use. To deactivate the Access key, run following command

    aws iam update-access-key --access-key-id <Access_Key_ID> --status Inactive --user-name <IAM_username>

    Deactivate Access Key

  4. Once you are sure that the Access key is not required, run following command to remove the Access key

    aws iam delete-access-key --access-key-id <Access_Key_ID> --user-name <IAM_username>

    Delete Access Key

;