What is meant by credentials

Find unused credentials

Remove IAM user credentials (that is, passwords and access keys) that are no longer needed to increase the security of your AWS account. For example, if users leave your company or no longer need to access AWS, find their credentials and make sure they are no longer valid. Ideally, delete the credentials when they are no longer needed. You can always recreate them at a later time if necessary. At the very least, you should change the password or disable the access key so that the former user can no longer access it.

Of course the meaning of unused differently. Typically, this means not using credentials within a certain period of time.

Find unused passwords

Use the AWS Management Console to find out how your users are using their passwords. If you have a large number of users, you can use the console to download a logon information report that shows each user the last time their password was used. You can also access the data using the AWS CLI or the IAM API.

How to Find Unused Passwords (Console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Click in the navigation area Users.

  3. If necessary, add the column Console last sign-in added to the user table:

    1. Above the table on the right, select the settings icon ().

    2. Choose under Manage Columns the option Console last sign-in out.

    3. click on Closeto return to the list of users.

  4. The gap Last login to the console shows the date you last logged in to AWS from the console. You can use this information to find passwords that have not been used within a certain period of time. For users with passwords who have not logged in at any time, the column Never specified. None specifies users without passwords. Passwords that have not been used recently may be removed.

    Due to a service issue, passwords used between May 3, 2018 10:50 p.m. PDT and May 23, 2018 2:08 p.m. PDT are not reported as the last used password. This affects the last sign-in dates displayed in the IAM console and the last use dates of passwords in the IAM report with credentials returned by the GetUser API operation. If users logged in during this time, the last date the password was used will be the date the user last logged in before May 3, 2018. For users who signed in after May 23, 2018, 2:08 p.m. PDT, the correct last password usage date is returned.

    If you use the information about the last password use to identify unused login information and e.g. For example, to delete users who have not signed in to AWS for 90 days, you should adjust the evaluation window to include appointments after May 23, 2018. Alternatively, if your users are using access keys to access AWS programmatically, you can use the last date the access key was used, as this is correct for all appointments.

How to find unused passwords by downloading the Credentials (Console) report

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Click in the navigation area Credential report.

  3. Choose Download Report to download a CSV (comma-separated file) file named. The fifth column contains the column with the following data:

    • N / A - User without an assigned password.

    • no_information - Users who have not used your password since October 20, 2014, when IAM began to register the age of the password.

How to Find Unused Passwords (AWS CLI)

Run the following command to find out unused passwords:

  • returns a list of users, each with a value. If the value is missing, the user either does not have a password or the password has not been used since October 20, 2014 when IAM began to register the age of the password.

How to Find Unused Passwords (AWS API)

Call the following operation to find out unused passwords:

  • returns a collection of users, each with a value. If the value is missing, the user either does not have a password or the password has not been used since October 20, 2014 when IAM began to register the age of the password.

For more information about the commands to download the credentials report, see Obtaining Credentials Reports (AWS CLI).

Finding unused access keys

Use the AWS Management Console to find out information about how your users' access keys are being used. If you have a large number of users, you can use the console to download a logon information report that shows each user the last time they used their access key. You can also access the data using the AWS CLI or the IAM API.

How to Find Unused Access Keys (Console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Click in the navigation area Users.

  3. If necessary, add the column Access key last used to the user table:

    1. Above the table on the right, select the settings icon ().

    2. Select in the column Manage ColumnsAccess key last used out.

    3. click on Closeto return to the list of users.

  4. The gap Access key last used shows the number of days since the user last programmatically accessed AWS. You can use this information to find access keys that have not been used within a certain period of time. For users without an access key, the column None displayed. Access keys that have not been used recently can be removed.

How to find unused Access Keys by downloading the Credentials (Console) report

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Click in the navigation area Credential Report.

  3. Choose Download Report to download a CSV (comma-separated file) file named. Columns 11 through 13 contain the last usage date, region, and service information for access key 1. Columns 16 through 18 contain the same information for access key 2. The value is N / Aif the user does not have an access key or the access key has not been used since April 22, 2015, when IAM started to register the age of the access key.

How to Identify Unused Access Keys (AWS CLI)

Run the following commands to determine unused access keys:

  • returns information about a user's access key including.

  • takes an access key ID and returns output that includes what the access key was last used in, and the last service requested. If missing, the access key has not been used since April 22, 2015 - the date when IAM registers the age of access keys.

How to Identify Unused Access Keys (AWS API)

Call the following operations to determine unused access keys:

  • returns a list of the values ​​for the access keys associated with the specified user.

  • takes an access key ID and returns a collection of values. This includes the one in which the access key was last used and that of the last requested service. If the value is missing, either the user does not have an access key or the access key has not been used since April 22, 2015, the date IAM registers the age of access keys.

For more information about the commands to download the credentials report, see Obtaining Credentials Reports (AWS CLI).