Ebook 'From FinOps to proven cloud cost management & optimization strategies'
Whitepaper 'FinOps and cost management for Kubernetes'

3 easy steps to find all inactive users in your AWS account for access management and security improvements

Share on linkedin
Share on twitter
Share on facebook

Problem description

Unauthorized access to internal IT environments doesn’t meet company security standards. Terminating access for inactive users is aimed to reduce the risk of uncontrolled access to your resources and help establish and control the process of access management to internal and production environments.

Disabling access procedure is necessary in case, for instance, when users leave the organization or IT environments are not required anymore. Team leads need to be sure that the former users no longer have access.


Our recommendations enable your engineering team to increase the security of AWS accounts by identifying inactive users and removing IAM user credentials. In our article we recommend to terminate IAM user accounts that are not active for 90 days or more, however, you can adjust a specified period of time based on your requirements.


Step 1

List all users who are created more than 90 days ago and last login into AWS console was more than 90 days ago, or wasn’t used it at all.
AWS cli command:

aws iam list-users --query 'Users[?(CreateDate <= `2021-12-26` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output text

Step 2

For every user in this list we should check all access keys.
AWS cli command:

aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output text

Step 3

For every access key we should check LastUsedDate. In case all access keys were used last time more than 90 days ago, such users could be marked as targets.
AWS cli command:

aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2021-12-26`' --output text

Free cloud cost optimization. Lifetime

Note 1

 In commands we used date 2021-12-26 its relative date equal (now – 90 days). You should use your own relative date.

Note 2

AWS cli has a pagination mechanism for large amounts of data in output. If you have many users in an account, the provided script will process only the first page. Consider using something more powerful than AWS cli.

As a result one line command:

for user in $(aws iam list-users --query 'Users[?(CreateDate <= `2021-12-26` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output text); do for access_key in $(aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output text); do if [[ "$(aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2021-12-26`' --output text)" == True ]]; then continue 2; fi; done; echo "$user"; done

As a result this command will provide a list of user names.

OptScale, a FinOps and cloud cost management platform, is available on cloud marketplaces

Alibaba Cloud marketplace

👆🏻 Storing objects in AWS S3 public buckets could threaten the security of your company data.

💡 Discover the recommendations, which help you manage public access to AWS S3 resources properly and ensure that all required buckets and objects have their public access blocked  → https://hystax.com/the-quickest-way-to-get-a-list-of-public-buckets-in-aws-to-enhance-your-security

Enter your email to be notified about new and relevant content.

Thank you for joining us!

We hope you'll find it usefull

You can unsubscribe from these communications at any time. Privacy Policy

News & Reports

FinOps & Test Environment Management

A full description of OptScale as a FinOps and Test Environment Management platform to organize shared IT environment usage, optimize & forecast Kubernetes and cloud costs

From FinOps to proven cloud cost management & optimization strategies

This ebook covers the implementation of basic FinOps principles to shed light on alternative ways of conducting cloud cost optimization

Engage your engineers in FinOps and cloud cost saving

Discover how OptScale helps companies quickly increase FinOps adoption by engaging engineers in FinOps enablement and cloud cost savings