Unused access keys

AWS-IAM-004 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for active access keys that haven't been used in 30+ days or have never been used.

Why it matters

Unused access keys are unnecessary attack surface that provides no business value. If compromised through a code leak or stolen laptop, they grant access without anyone noticing since no legitimate service uses them. AWS Security Hub data shows that unused credentials are involved in 30% of unauthorized access incidents because they are often forgotten and lack monitoring. The 2021 Codecov supply chain attack exploited stale credentials that had been inactive for months. Deactivating and then deleting unused keys after a grace period follows the principle of least privilege and reduces the credential sprawl that attackers exploit during lateral movement.

Common causes

Unused keys accumulate when employees leave the company or change roles but their access keys are never deactivated. Proof-of-concept projects and one-time migration scripts often create keys that are forgotten after the task is done. Some teams create keys "just in case" during onboarding, even when the user only needs console access.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws iam update-access-key --user-name USER --access-key-id KEY_ID --status Inactive
# After confirming no impact:
aws iam delete-access-key --user-name USER --access-key-id KEY_ID

Remediation: Terraform

# Remove the aws_iam_access_key resource from your Terraform config
# and run terraform apply to delete the unused key.

Compliance mapping

This check maps to CIS 1.12 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.