Detect IAM Users with Multiple Active Access Keys and Enforce Key Rotation
Why this matters
Access keys are long-term credentials used for programmatic access via AWS CLI, SDKs, or APIs. If IAM users have multiple active access keys:
It becomes harder to track which key is in use
Unused keys may be forgotten and remain vulnerable
Key rotation hygiene suffers, increasing the risk of credential leaks
To reduce the attack surface and improve credential management, each IAM user should have only one active key at a timeβand that key should be rotated regularly.
What this check does
This Auto Check evaluates all IAM users and verifies:
Whether they have more than one active access key
Whether the active key is older than 90 days
Whether key rotation is enforced
The check fails if a user has multiple active keys or an active key older than 90 days.
How to fix it
Deactivate redundant or outdated access keys and enforce rotation practices.
From the AWS Console
Sign in to the IAM Console.
Navigate to Users and select a specific IAM user.
Under the Security Credentials tab, locate the Access Keys section.
Ensure only one key is active and that it's less than 90 days old.
Click Make Inactive next to any additional or old keys.
Confirm the action when prompted.
Repeat this for all IAM users in your account.
Using AWS CLI
# Deactivate an old or unused key
aws iam update-access-key --user-name <user_name> --access-key-id <access_key_id> --status Inactive
# Verify key status
aws iam list-access-keys --user-name <user_name>
Exceptions
For automation scenarios where key rotation is managed externally or where dual keys are temporarily required:
Document the use case and expiration timeline
Set up CloudWatch alarms or IAM Access Analyzer to track key age
Ensure programmatic rotation workflows deactivate old keys automatically