AWS Access Keys Are Used Every 90 Days


Remediation Effort



This policy validates that IAM user access keys are used at least once every 90 days.

Access keys provide programatic access to an AWS account, and if those keys are not in use they should not be enabled as they only serve to increase the attack surface of the account.


To remediate this, each unused credential for each user mentioned in this alert should be made inactive.

Using the AWS Console

1. Access the User tab of the IAM console at:

2. Select the name of the non-compliant user.

3. Select the "Security Credentials" tab.

4. Under the "Access Keys" section select "Make inactive" under the "Status" column for the unused key.

Using the AWS CLI Tool

1. Run the following command to make the unused access key inactive:

aws iam update-access-key --user-name <user_name> --access-key-id <access_key_id> --status Inactive


  • CIS AWS Benchmark 1.3 "Ensure credentials unused for 90 days or greater are disabled."

Last updated