Avoid Provisioning Access Keys During Initial IAM User Creation When Console Login is Enabled
Why this matters
When new IAM users are created with both programmatic and console access, access keys are often provisioned by default—even if they're not needed immediately. This introduces unnecessary risk because:
Unused access keys may go unnoticed and unmonitored
Credentials could be compromised if stored insecurely
Users may have more access than their actual usage requires
Provisioning access keys should be a deliberate and auditable action, only when truly needed.
What this check does
This Auto Check verifies whether:
IAM users were provisioned with access keys during account creation
These users also have console access via password
The access keys have never been used or are unnecessary based on usage patterns
The check fails if unused or unnecessary access keys are found to be provisioned at user creation time.
How to fix it
Remove access keys that are not in use or were automatically created but not required.
From the AWS Console
Go to the IAM Console.
Select Users, and then go to the Security Credentials tab.
Review access keys for each user.
Identify keys that were:
Created at the time of user creation
Never used or flagged during audit
Click the X (Delete) button next to the key to remove it.
Generate a credential report for auditing
From the IAM Dashboard, choose Credential Report.
Download and review the .csv
file for unused keys.
Use it to identify stale or redundant credentials for removal.
Using AWS CLI
# Delete an access key
aws iam delete-access-key --user-name <user_name> --access-key-id <access_key_id>
Exceptions
If programmatic access is required:
Require users to explicitly request or generate access keys post-creation
Establish a support or approval process for issuing access keys
Apply tagging or metadata to track why a key was issued and to whom
Encouraging users to provision keys themselves demonstrates intent and aligns with least privilege principles.