IAM users should only have one active access key available


Access keys enable an IAM user to sign requests to the AWS CLI or API, and are long-term credentials that enable programmatic actions. To safeguard access, only one access key should ever be available to a given IAM user.

Console Remediation Steps

  • Navigate to IAM.

  • In the left navigation, select Users.

  • Select the IAM user name and select the Security Credentials tab.

  • In Access Keys section, select the access key and click Make Inactive.

CLI Remediation Steps

  • To remove extra access keys:

aws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name>
  • To confirm that the selected access key pair is successfully deactivated:

aws iam list-access-keys --user-name <user-name>