Skip to main content

How to Clean Up AWS IAM Access Keys

IAM access keys are long-term AWS credentials, and it is best practice to remove keys that are no longer in use. Removing unused keys enhances the security and reduces your exposure to risk.

With Fix Inventory, it is easy to find and delete AWS IAM access keys that have not been used for a defined period of time.

Prerequisites​

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions​

  1. Execute the following command in Fix Inventory Shell to open the Fix Inventory Worker configuration for editing:

    > config edit fix.worker
  2. Enable cleanup by modifying the fixworker section of the configuration as follows:

    fixworker:
    # Enable cleanup of resources
    cleanup: true
    # Do not actually cleanup resources, just create log messages
    cleanup_dry_run: false
    # How many cleanup threads to run in parallel
    cleanup_pool_size: 16

    When cleanup is enabled, marked resources will be deleted as a part of the collect_and_cleanup workflow, which runs each hour by default.

    tip

    Set cleanup_dry_run to true to simulate cleanup without actually deleting resources.

  3. Execute the following search in Fix Inventory Shell to find the number of access keys that have not been used within the last 90 days, grouped by user:

    > search is(access_key) and last_access > 90days <-- is(user) | count name
    ​ccm-sa: 1
    ​nancy: 1
    ​db-runner: 3
    ​packer-ami: 9
    ​test-max: 12
    ​jenkins: 1
    ​ci: 2
    ​total matched: 26
    ​total unmatched: 0

    It is also possible to exclude specific users' keys from these results. Below is the same search, modified to only return keys not belonging to users jenkins and ci:

    > search is(access_key) and last_access > 90days <-- is(user) and name not in [jenkins, ci] | count name
    ​ccm-sa: 1
    ​nancy: 1
    ​db-runner: 3
    ​packer-ami: 9
    ​test-max: 12
    ​total matched: 26
    ​total unmatched: 0
  4. Now that we've defined the search for unused IAM access keys, simply pipe the result of the search query to the clean command instead of the count command:

    > search is(access_key) and last_access > 90days and /ancestors.user.reported.name not in [jenkins, ci] | clean
    note

    The clean command flags a resource for cleanup.

    Cleanup is performed whenever the collect_and_cleanup workflow runs.

    The workflow runs every hour by default, but can also be manually triggered using the workflow run cleanup command.

  5. Automate flagging unused access keys for cleanup by creating a job:

    > jobs add --id clean_outdated_access_keys --wait-for-event post_collect 'search is(access_key) and last_access > 90days and /ancestors.user.reported.name not in [jenkins, ci] | clean'
    ​Job clean_outdated_access_keys added.

The job will now run each time Fix Inventory emits the post_cleanup_plan event. The post_cleanup_plan event is emitted in the cleanup phase of the collect_and_cleanup workflow.

Each time the job runs, unused IAM access keys will be flagged for removal during the next cleanup run.

Further Reading​