Quick Fix: Delete IAM User API Access Key

Outcome

The IAM user's API access key will be permanently deleted, removing a stale credential from the account. Unlike deactivation, deletion cannot be undone -- the key ID and secret are gone forever.

For example, after applying this fix:

• A stale access key for IAM user deploy-bot that was deactivated 30 days ago will be permanently removed
• An exposed access key for IAM user ci-runner will be eliminated so it can never be reactivated

Fix

Step 1: Set the target user and identify the access key

USER_NAME="the-user-to-restrict"

# List the user's access keys to find the one to delete
aws iam list-access-keys \
  --user-name "${USER_NAME}" \
  --output table

Identify the AccessKeyId to delete from the output, then set it:

ACCESS_KEY_ID="AKIA..."

Step 2: Check when the key was last used

Before deleting, confirm the key is no longer in active use:

aws iam get-access-key-last-used --access-key-id "${ACCESS_KEY_ID}"

If the key was recently used, coordinate with the key's owner to rotate to a new key first. See the Deactivate IAM user API access key quick fix to disable it while you coordinate.

Step 3: Delete the access key

aws iam delete-access-key \
  --user-name "${USER_NAME}" \
  --access-key-id "${ACCESS_KEY_ID}"

Verify the fix

Confirm the key no longer appears in the user's access key list:

aws iam list-access-keys \
  --user-name "${USER_NAME}" \
  --output table

The deleted AccessKeyId should not appear in the output.

References

• AWS: Managing access keys for IAM users
• k9 Security Kata 3: Review IAM password and access key credentials

Gotcha

Deleting an access key is permanent and irreversible. Once deleted, the key ID and secret cannot be recovered. If there's any chance the key is still needed, deactivate it first instead. A deactivated key can be reactivated; a deleted key cannot. A safe workflow is: deactivate the key, wait a period to confirm nothing breaks, then delete it.

---

Last update: February 5, 2026