finding usage for access key

Question

We're retiring an old access key, and have removed all known references to it. Cloudtrail shows the last event was `CreateLogStream`, over 2 weeks ago, about the time we removed the last known reference to the old key.

But in the IAM console, it still shows ongoing usage: "last used 7 minutes ago, last used service cloudwatch." There is always active usage for either "cloudwatch" or "logs" within the last 10 or so minutes, every time we check.

Is there a way to find out more information about this ongoing usage?

We've tried setting up a trail, but couldn't find any options that looked like they would be relevant to cloudwatch. We've also tried IAM Access Analyzer, but that doesn't seem to log information about access keys used. We also tried an eventbridge entry, with the event pattern

```
{
  "detail": {
    "userIdentity": {
      "accessKeyId": ["..."]
    }
  }
}
```
No results so far. I think we had gotten that from a search a while back; it was in event bridge already and has been there long enough that none of us remembers having set it up.

Not sure what else to try. Any help would be greatly appreciated! TIA

EDIT: the user in question does not have console access enabled, and has never allowed logins. We also checked cloudtrail via the username. We have new access key on the same user that is replacing the old key, so there is activity under that other key. But even still, the most recent event is several hours ago: `CreateLogStream`. And both keys show recent activity in the last few minutes.

We've set up a trail for S3 events, and that's a lot of what we see on the new key. The old key shows zero S3 entries. The cloudwatch usage, I'm assuming that's log ingestion into the various log streams that have been created. I can't find a way to see that activity.

Accepted Answer

We had completely forgotten that we set up AmazonSSMAgent on a Windows EC2 [to log metrics](https://stackoverflow.com/questions/37441225/how-to-monitor-free-disk-space-at-aws-ec2-with-cloud-watch-in-windows), and we had used the access key to do it. We've reconfigured to use role-based permissions and now the usage on the old key seems to have stopped.

I had to go back through cloudtrail and look at the CreateLogStream events for the access key, and eventually I found that one of them was using a stream name that matched those metrics. I think the only reason it showed up is that we had restarted one of the backup servers around the time we retired that access key, so there was a recent CreateLogStream under that key.

Answer

Are console logins, etc. enabled for the IAM user who was issued the access key?  
In this case, it is possible that the "IAM Access Analyzer" is recording the operations performed by logging in to the console.  
So when sorting by CloudTrail, search by IAM user name instead of access key and you may get a hit.  
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

Answer

I understand that you are trying to find where your IAM access key is being used. There are multiple ways to find that information and based on what you described here, you have done right things.

Please take a look at this [re:Post Knowledge Center Article](https://repost.aws/knowledge-center/view-iam-history), which explains the same use case in very detail, if you haven't already gone through this.

Comment here how it goes, happy to help further.

Hope you find this useful.

Abhishek

Answer

Sounds like the key is in use on an instance that has CloudWatch Agent on it and is logging regularly.

You should be able to find the records in CloudTrail.  Goto the CloudTrail console.  On the left choose Event History.  In the Event History dropdown, select AWS access key and then provide the access key in the search field.

finding usage for access key

Relevant content