Guard Custom Policy - date function


I want to create a Guard custom policy rule that gets hold of IAM access key creation date date and compares it to today's date. If key age is greater than 60, I want to make Config rule non-compliant.

I can get hold of access key age through this Json property: configuration.createDate

Does Guard custom policy provide a date function that I can use to create today's date and then compare it with configuration.createDate ?

1 Answer


I think it is not necessary to create a custom rule if you use the Config rule below, what do you think?
The default number of days is 90 days, but you can change this.

In addition, for remediation actions, you can use the following SSM runbook to disable access keys if they do not comply with the rules.

profile picture
answered 2 months ago
  • Thanks Riku Isn't access_keys_rotated Config rule managed by AWS, so its set by AWS.

    For me, Edit button is greyed out so I cannot edit it.

    On the top it says: This rule has been created by securityhub, This is a service-linked AWS Config rule.....

  • In my environment, "maxAccessKeyAge" can be changed. Maybe you and I are looking at different screens. a
    What I am trying to do is configure the "Adding rules" described in the document below.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions