Quick Fix: Deactivate IAM User API Access Key
Outcome
The IAM user's API access key will be set to Inactive, immediately preventing it from being used to authenticate
AWS API calls. The key itself is preserved and can be reactivated later if needed.
For example, after applying this fix:
- An access key for IAM user
deploy-botthat hasn't been used in 90 days will no longer authenticate API requests - An access key for IAM user
former-contractorthat may have been exposed will be unable to sign any AWS API calls
Fix
Step 1: Set the target user and identify the access key
USER_NAME="the-user-to-restrict"
# List the user's access keys to find the one to deactivate
aws iam list-access-keys \
--user-name "${USER_NAME}" \
--output table
Identify the AccessKeyId to deactivate from the output, then set it:
ACCESS_KEY_ID="AKIA..."
Step 2: Deactivate the access key
aws iam update-access-key \
--user-name "${USER_NAME}" \
--access-key-id "${ACCESS_KEY_ID}" \
--status Inactive
Verify the fix
Confirm the key status is now Inactive:
aws iam list-access-keys \
--user-name "${USER_NAME}" \
--query "AccessKeyMetadata[?AccessKeyId=='${ACCESS_KEY_ID}']" \
--output table
The Status column should show Inactive.
References
- AWS: Managing access keys for IAM users
- k9 Security Kata 3: Review IAM password and access key credentials
Gotcha
Deactivating an access key takes effect immediately. Any application or script using that key will start receiving
InvalidClientTokenId or SignatureDoesNotMatch errors right away. If you're unsure whether the key is still in use,
check its LastUsedDate before deactivating:
aws iam get-access-key-last-used --access-key-id "${ACCESS_KEY_ID}"
If the key is still actively used, coordinate with the key's owner to rotate to a new key before deactivating the old
one. Deactivation is reversible -- you can reactivate by setting --status Active -- but deleting the key is
permanent.