How do I search for IAM access key API activity using CloudTrail?

Last updated: 2019-01-10

How can I view AWS API activity related to an AWS Identity and Access Management (IAM) access key ID?

Short Description

Review your IAM access key activity if:

  • A user account is compromised, and you need to identify all AWS API activity that was performed using a set of access credentials.
  • You are required to perform an audit activity with an IAM entity for compliance.
  • You are rotating access credentials, and you want to verify that the credentials aren't actively in use.
    Note: Deleted access credentials can't be restored.
  • You downloaded the IAM Credential Report, but the report doesn't list AWS API activity.

Note: Results are limited to AWS services that are already on-boarded to AWS CloudTrail. For more information, see CloudTrail Supported Services and Integrations.

Resolution

Use the AWS CloudTrail event history to identify AWS API activity in the last 90 days for your IAM access key. For more information, see Viewing Events with CloudTrail Event History.

  1. Open the CloudTrail console, and then choose Event history from the navigation pane.
  2. From the Filter drop-down menu, choose the AWS access key filter.
  3. In the Enter AWS access key field, enter the IAM access key ID.
  4. In the Time range field, choose the time range, and then choose Apply.

Note: To identify AWS API activity older than 90 days, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?

For more information about ID identifiers that are unique to IAM, see IAM Identifiers.


Did this article help you?

Anything we could improve?


Need more help?