IAM user with old access keys







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




Access keys are the long-lived form of Identity and Access Management (IAM) credentials. Consequently, they are frequently leaked in source code, build logs, and configuration files.

Understanding Impact

Business Impact

IAM users with old, unrecycled access keys are risky as access keys never expire and frequently get leaked.

Technical Impact

Long-lived IAM credentials pose a lower risk when paired with enforced two-factor authentication (2FA). As a matter of good security hygiene, the age of access keys should be audited and acted on continuously.

Identify affected resources

The easiest way to identify IAM users with old access keys is to generate an IAM credential report.

aws iam generate-credential-report

Then, retrieve the credential report. The report is returned as a CSV file, Base64-encoded.

aws iam get-credential-report --query Content --output text | base64 -d

You can identify users with old access keys based on the values in the access_key_1_last_rotated and access_key_2_last_rotated dates.

Remediate vulnerable resources

If the access key is not needed anymore, disable and remove it. You can use the credential report fields access_key_1_last_used_date and access_key_2_last_used_date to assess if an access key has recently been used. If the access key is still needed, you can rotate it.

How Datadog can help


Datadog CSM detects this vulnerability using the following out-of-the-box rules:


How to Rotate Access Keys for IAM Users

aws documentation

Managing access keys for IAM users

aws documentation

Did you find this article helpful?