- Newest
- Most votes
- Most comments
We had completely forgotten that we set up AmazonSSMAgent on a Windows EC2 to log metrics, and we had used the access key to do it. We've reconfigured to use role-based permissions and now the usage on the old key seems to have stopped.
I had to go back through cloudtrail and look at the CreateLogStream events for the access key, and eventually I found that one of them was using a stream name that matched those metrics. I think the only reason it showed up is that we had restarted one of the backup servers around the time we retired that access key, so there was a recent CreateLogStream under that key.
Are console logins, etc. enabled for the IAM user who was issued the access key?
In this case, it is possible that the "IAM Access Analyzer" is recording the operations performed by logging in to the console.
So when sorting by CloudTrail, search by IAM user name instead of access key and you may get a hit.
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
I understand that you are trying to find where your IAM access key is being used. There are multiple ways to find that information and based on what you described here, you have done right things.
Please take a look at this re:Post Knowledge Center Article, which explains the same use case in very detail, if you haven't already gone through this.
Comment here how it goes, happy to help further.
Hope you find this useful.
Abhishek
Sounds like the key is in use on an instance that has CloudWatch Agent on it and is logging regularly.
You should be able to find the records in CloudTrail. Goto the CloudTrail console. On the left choose Event History. In the Event History dropdown, select AWS access key and then provide the access key in the search field.
Relevant content
- asked a year ago
- Accepted Answerasked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
I've edited the question with additional information. Short version: we don't have console logins enabled for that user, and even checking cloudtrail via the username, we're not seeing the recent (last few minutes) activity.