The Disable Unused IAM Access Keys action can be used to disable IAM user access keys that have gone unused. A report can be emailed informing you of the status of the access keys.


Please see Common Action Settings for a description of settings common to all action types.

User Identification Method

Indicates the method in which users will be selected. Options include:

  • All users - All users will be checked

  • By user name - Users which match a comparison will be checked

User Name

Comparison to use when selecting users.

Unused Days

Indicates the number of days an access key should have gone unused before it's disabled.

Report Target

Indicates the method in which the report will be sent.

Target Email

Indicate the target email address to which the reports will be sent. Possible options include:

  • Primary

  • Alternates

Alternate Email Addresses

Indicates the alternate email addresses to which the reports will be sent.

Report Format

Specify the format of the report. Possible options include:

  • Email

  • HTML file emailed

  • CSV file emailed

Test Mode

Indicates that Test Mode is enabled. When Test Mode is enabled, access keys will not be disabled.

Amazon Commands Used

The following Amazon AWS commands are used. The access key should have permission to execute all of them.

  • iam:GetAccessKeyLastUsed

  • iam:ListAccessKeys

  • iam:UpdateAccessKey

Did this answer your question?