How do I search for IAM access key API activity using CloudTrail?
Last updated: 2019-01-10
How can I view AWS API activity related to an AWS Identity and Access Management (IAM) access key ID?
Review your IAM access key activity if:
- A user account is compromised, and you need to identify all AWS API activity that was performed using a set of access credentials.
- You are required to perform an audit activity with an IAM entity for compliance.
- You are rotating access credentials, and you want to verify that the credentials aren't actively in use.
Note: Deleted access credentials can't be restored.
- You downloaded the IAM Credential Report, but the report doesn't list AWS API activity.
Note: Results are limited to AWS services that are already on-boarded to AWS CloudTrail. For more information, see CloudTrail Supported Services and Integrations.
- Open the CloudTrail console, and then choose Event history from the navigation pane.
- From the Filter drop-down menu, choose the AWS access key filter.
- In the Enter AWS access key field, enter the IAM access key ID.
- In the Time range field, choose the time range, and then choose Apply.
Note: To identify AWS API activity older than 90 days, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?
For more information about ID identifiers that are unique to IAM, see IAM Identifiers.