AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I identify when an IAM access key was last used?

2 minute read

I want to know when an AWS Identity and Access Management (IAM) access key was last used.

Resolution

To get usage information for an access key, use the AWS Command Line Interface (AWS CLI) or AWS CloudTrail event history. You can also use credential reports and notifications to monitor IAM access keys.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Use the AWS CLI

Run the get-access-key-last-used command:

aws iam get-access-key-last-used --access-key-id ASIAIOSFODNN7EXAMPLE

Note: Replace ASIAIOSFODNN7EXAMPLE with your access key ID.

The output includes the date and time when the access key was last used, the AWS service, and the AWS Region.

Use CloudTrail event history

Complete the following steps:

Open the CloudTrail console, and then choose Event history.
In the Lookup attributes menu, choose AWS access key.
In the AWS access key search bar, enter the access key ID.
In Filter by data and time, enter the time range, and then choose Apply.

The output includes the date and time when the access key was last used, the AWS service, and the Region.

Note: The CloudTrail event history only keeps the last 90 days of data.

Amazon S3 service API calls

You might see an Amazon Simple Storage Service (Amazon S3) service call without an Amazon S3 API call from the same time in the CloudTrail event history logs. If so, then this usage was an Amazon S3 data event, not a management event. These events are part of the normal operation of Amazon S3.