Audit AWS IAM user credentials used in your environment with k9 Security’s new credential report integration. AWS IAM users may have a console password and up to two AWS API access keys. Reviewing these credentials use is an essential security and audit activity. k9 reports:

  • if IAM user password or API access key credentials exist
  • when a credential was last used
  • when a credential was last rotated

AWS IAM user credential usage information is presented beside other critical information about the principal in the ‘Principals’ report (sample: xlsx, also JSON & CSV):

Audit AWS IAM user credentials using 'Principals' report
Audit AWS IAM user credentials using ‘Principals’ report

This example shows AWS IAM user and credential usage from the k9-dev account. The new credential information is highlighted in orange and all times are in UTC.

The ci user was last used on 2021-03-17 at 3:42 AM (UTC). The ci user doesn’t have a console password configured, so those fields are blank, as are Access Key 2’s fields. The ci user has one Access Key, Key 1. Access Key 1 has the same last used time as the principal, indicating that was the credential used to authenticate the ci user’s last access.

This IAM user credential data comes from the AWS credential report. k9 reliably retrieves, normalizes, and integrates that credential data with other context so you can focus on analyzing the results.

We hope k9’s AWS credential information simplifies your threat detection and AWS access audit. We are happy to answer any questions!