IAM Access Key Age Audit Script

find_old_keys.sh

#!/bin/bash

# Threshold in days
DAYS_LIMIT=300
CURRENT_TIME=$(date +%s)

echo "IAM Access Key Age Report (Active Keys Only)"
printf "%-30s %-25s %-15s %-10s\n" "User" "Key ID" "Created" "Age (Days)"
echo "-----------------------------------------------------------------------------------------------"

# List all users
users=$(aws iam list-users --query 'Users[*].UserName' --output text)

if [ $? -ne 0 ]; then
    echo "Error: Failed to list users."
    exit 1
fi

count=0
found_count=0

for user in $users; do
    # Get active keys for the user
    keys=$(aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[?Status==`Active`].[AccessKeyId,CreateDate]' --output text)
    
    if [ -n "$keys" ]; then
        while read -r key_id create_date; do
            if [ -n "$key_id" ] && [ -n "$create_date" ]; then
                key_time=$(date -d "$create_date" +%s)
                age_seconds=$((CURRENT_TIME - key_time))
                days_old=$((age_seconds / 86400))
                
                status=""
                if [ $days_old -gt $DAYS_LIMIT ]; then
                    status="!!! > $DAYS_LIMIT days"
                    found_count=$((found_count + 1))
                fi
                
                printf "%-30s %-25s %-15s %-10s %s\n" "$user" "$key_id" "${create_date:0:10}" "$days_old" "$status"
            fi
        done <<< "$keys"
    else
        # Optional: show users with no active keys
        # printf "%-30s %-25s %-15s %-10s\n" "$user" "No active keys" "-" "-"
        :
    fi
    count=$((count + 1))
done

echo "-----------------------------------------------------------------------------------------------"
echo "Summary: Checked $count users. Found $found_count active keys older than $DAYS_LIMIT days."