AWS KeyUse - Can't find where its being used.

Question

Good afternoon.  My next project is moving off user IAM keys for resources and to IAM role based access (much more secure), but having some issues with keys.

On the IAM / user, under security credentials, I see the key, says last used 2022--02-09 with s3 in N/A (so it was used today).   Yet I goto cloud-trail, event history, and if I search by the key OR username I come up with nothing.   I am just starting this project, so have 20+ users to define what they have access to, then create the policies to create those roles, but this is a poor start to my task!

Any help in finding the easiest way to see key use and/or auditing is appreciated.

Answer

There are a few troubleshooting steps that I would recommend to trying

1. Verify that the appropriate time filter settings are enabled when searching event history in CloudTrail 
2. Verify if cloudTrail is only not displaying actions in S3 (test to see if other API calls associated with other AWS Services are being displayed. 
3. Verify whether the activity was a bucket-level API call, by default only bucket-level API calls that were made in the last 90 days can be found in the CloutTrail console. Data events such as object-level calls will not be in data events. To access those calls you will have to query cloudTrail logs with Athena (https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html#tips-for-querying-cloudtrail-logs)

**Documentation for Amazon S3 CloudTrail Events** : https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html

AWS KeyUse - Can't find where its being used.

Relevant content