Table: aws_iam_access_key - Query AWS IAM Access Keys using SQL
The AWS Identity and Access Management (IAM) Access Keys are long-term credentials for an IAM user or the AWS account root user. These keys are used in conjunction with the access key ID to cryptographically sign programmatic AWS requests for authentication. Managing access keys appropriately enables you to protect your AWS resources from unauthorized access.
Table Usage Guide
The aws_iam_access_key
table in Steampipe provides you with information about IAM Access Keys within AWS Identity and Access Management (IAM). This table lets you, as a DevOps engineer, query access key-specific details, including the access key ID, status, creation date, and more. You can utilize this table to gather insights on access keys, such as their current status (active/inactive), the IAM user they are associated with, and their creation date. The schema outlines the various attributes of the IAM Access Key for you, including the access key ID, status, creation date, and the IAM user to which it belongs.
Examples
List of access keys with their corresponding user name and date of creation
Discover the segments that hold information about user access keys, including who created them and when, to help manage and monitor AWS IAM security credentials effectively.
select access_key_id, user_name, create_datefrom aws_iam_access_key;
select access_key_id, user_name, create_datefrom aws_iam_access_key;
List of access keys which are inactive
Determine the areas in which AWS IAM access keys are inactive. This can be useful for identifying unused keys, potentially improving security by reducing the number of active keys in your system.
select access_key_id, user_name, statusfrom aws_iam_access_keywhere status = 'Inactive';
select access_key_id, user_name, statusfrom aws_iam_access_keywhere status = 'Inactive';
Access key count by user name
Determine the number of access keys associated with each user in your AWS IAM service. This can be useful for understanding how access is distributed across your users, potentially highlighting areas where access can be consolidated or better managed.
select user_name, count (access_key_id) as access_key_countfrom aws_iam_access_keygroup by user_name;
select user_name, count(access_key_id) as access_key_countfrom aws_iam_access_keygroup by user_name;
Query examples
Control examples
- All Controls > IAM > Ensure there is only one active access key available for any single IAM user
- AWS Foundational Security Best Practices > IAM > 3 IAM users' access keys should be rotated every 90 days or less
- CIS v1.2.0 > 1 Identity and Access Management > 1.4 Ensure access keys are rotated every 90 days or less
- CIS v1.3.0 > 1 Identity and Access Management > 1.13 Ensure there is only one active access key available for any single IAM user
- CIS v1.3.0 > 1 Identity and Access Management > 1.14 Ensure access keys are rotated every 90 days or less
- CIS v1.4.0 > 1 Identity and Access Management > 1.13 Ensure there is only one active access key available for any single IAM user
- CIS v1.4.0 > 1 Identity and Access Management > 1.14 Ensure access keys are rotated every 90 days or less
- CIS v1.5.0 > 1 Identity and Access Management > 1.13 Ensure there is only one active access key available for any single IAM user
- CIS v1.5.0 > 1 Identity and Access Management > 1.14 Ensure access keys are rotated every 90 days or less
- CIS v2.0.0 > 1 Identity and Access Management > 1.13 Ensure there is only one active access key available for any single IAM user
- CIS v2.0.0 > 1 Identity and Access Management > 1.14 Ensure access keys are rotated every 90 days or less
- CIS v3.0.0 > 1 Identity and Access Management > 1.13 Ensure there is only one active access key available for any single IAM user
- CIS v3.0.0 > 1 Identity and Access Management > 1.14 Ensure access keys are rotated every 90 days or less
- IAM user access keys should be rotated at least every 90 days
Schema for aws_iam_access_key
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
access_key_id | text | The ID for this access key. | |
access_key_last_used_date | timestamp with time zone | The date when the access key was last used. | |
access_key_last_used_region | text | The region in which the access key was last used. | |
access_key_last_used_service | text | The service last used by the access key. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
create_date | timestamp with time zone | The date when the access key was created. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | The status of the access key. Active means that the key is valid for API calls; Inactive means it is not. | |
title | text | Title of the resource. | |
user_name | text | = | The name of the IAM user that the key is associated with. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_iam_access_key