I have a user setup on AWS and the user needs to be deleted, however they have an Access Key setup and it used to be used for some monitors that we had setup but now it is not used for the monitors. However when I look at the last used date of the access key it shows usage within the past 5 minutes typically. It showed that it was used with S3 but for the life of me I cannot find anything that associates the key with an S3 bucket or where it would be being used. I have Cloudtrail enabled and have tried looking in those logs to find the where the access key was used but for sure some reason Cloudtrail does not seem to track usages of an access key, or it at least doesnt log it out in the Cloudtrail logs.
I can disable the access key but didnt want to break whatever is using it. So I was hoping there is a way for me to find out this that I'm not aware of. Any ideas?
CodePudding user response:
https://aws.amazon.com/premiumsupport/knowledge-center/view-iam-history/
You can use CloudTrail. Quoting the key steps from above link:
- Open the CloudTrail console.
- Choose Event history.
- In Filter, select the dropdown menu. Then, choose User name. Note: You can also filter by AWS access key.
- In the Enter user or role name text box, enter the IAM user's "friendly name" or the assumed role session name.
- In Time range, enter the desired time range. Then, choose Apply.
- In Event time, expand the event. Then, choose View event. The userIdentity element contains details about the type of IAM identity that made the request and the credentials provided.
Edit:
In case you suspect the S3 activity is for object-level activity (like downloading and uploading objects in S3), this link has a few details on how you can enable tracking for it in CloudTrail:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
Unfortunately, it isn't as simple as browsing event history. You will have to create a trail and then scan the generated trail logs stored in S3 or CloudWatch.