Find the owner of an AWS Access Key

Question

I have a service which uses an AWS Access Key to push stuff to S3. I am going to sunset the service and I have the AWS Access Key and Secret. However, I can't find this key in the IAM or security credentials for the account.

Is there a way to enumerate all the access keys for an entire AWS account?

Answer 1

From my article Finding a mystery IAM access key:

1. You can find the account ID using the GetAccessKeyInfo API, for example:

   $ aws sts get-access-key-info --access-key-id >AKIA3B6K4VLAVGRVTXJA
   {
     "Account": "760097843905"
   }
   

   This should work when you authenticate as any IAM entity that has the sts:GetAccessKeyInfo permission, even if it's in a different account to this key.

2. Once you know the account, you can find the username with the GetAccessKeyLastUsed API. You'll need to authenticate as an IAM entity with the iam:GetAccessKeyLastUsed permission in that particular account:

   For example:

   $ aws iam get-access-key-last-used --access-key-id >"AKIA3B6K4VLAVGRVTXJA"
   {
       "UserName": "example-user-2023-08-26",
       "AccessKeyLastUsed": {
           "LastUsedDate": "2023-08-24T15:58:00Z",
           "ServiceName": "s3",
           "Region": "eu-west-1"
       }
   }
   

   Note that this works even if the access key has never actually been used, for example:

   $ aws iam get-access-key-last-used --access-key-id "AKIA3B6K4VLAVGRVTXJA"
   {
       "UserName": "example-user-2023-08-26",
       "AccessKeyLastUsed": {
           "ServiceName": "N/A",
           "Region": "N/A"
       }
   }
   

Answer 2

Reverse lookup in web console

It's easy to miss that you can do a reverse lookup to find the user who owns a certain key.

https://console.aws.amazon.com/iam/home?region=us-east-1#/users

Answer 3

You can use find-iam-user-by-key tool, to find any user by key even if you have multiple accounts. It also generates cache so you don't need to wait every time when you run aws iam ...

Output example:

$ ./find_user_by_key BENEEP2THOOLAI8OOKOH
./database/default:ACCESSKEYMETADATA    BENEEP2THOOLAI8OOKOH    2014-09-11T23:22:53Z    Active  john.doe

Answer 4

To answer the question posed in the title "Find the owner of an AWS Access Key", check the owner, and therefore the existence of a key with:

aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID --query 'UserName' --output text

Note that it will return an exit code of zero if found, and non-zero if not. This was the approach suggested in a comment to the current accepted answer by @dols3m, and more details are in the docs for get-access-key-last-used.

To enumerate all keys in an account, do this:

for user in $(aws iam list-users --query 'Users[*].UserName' --output text); do
  aws iam list-access-keys --user $user --query "AccessKeyMetadata[].AccessKeyId" --output text
done

See the docs for list-users and list-access-keys for more info.

Answer 5

If you just want to find the owner of the Access Key ID, a more straightforward trick is just to use AWS CLI with the key id and key to access a random AWS service. AWS CLI will throw an Access Denied error which has full details of the owner info of the Access Key as shown below:

$ aws iam get-user


An error occurred (AccessDenied) when calling the GetUser operation: 
User: arn:aws:iam::xxxxxxx:user/xxxx is not authorized to perform: 
iam:GetUser on resource: user xxxxx

From the error message, you will have the account id, the user name.

If the user has permission to access IAM, you will get the full details of the user as below:

{
    "User": {
        "Path": "/",
        "UserName": "xxx",
        "UserId": "xxx",
        "Arn": "arn:aws:iam::75xxx:user/xxx",
        "CreateDate": "2019-09-10T07:10:26+00:00",
        "PasswordLastUsed": "2020-05-26T07:51:50+00:00"
    }
}

Update

A new command provided by AWS is here:

$ aws sts get-caller-identity


{
    "UserId": "AIDASYJLxxxxx",
    "Account": "18xxxxxxxxxx",
    "Arn": "arn:aws:iam::18xxxxxxxxx:user/xxxxxxx"
}

Answer 6

❯ aws --profile my-aws-account iam get-user
{
    "User": {
        "Path": "/",
        "UserName": "my-username",
        "UserId": XXXXXX",
        "Arn": "arn:aws:iam::000000000000:user/my-username",
        "CreateDate": "2019-10-27T08:53:53Z"
    }
}

aws iam get-user --query 'User.Arn'

Answer 7

I like the solution of Jonathan Kamens but the code returns a list of all keys and theirs owners.

I made a shell script for get the username by Access Key Id. Look:

#!/bin/bash

# exit when the command fails
set -o errexit;

# exit when try to use undeclared var
set -o nounset;

accessKeyToSearch=${1?"Usage: bash $0 AccessKeyId"}

for username in $(aws iam list-users --query 'Users[*].UserName' --output text); do
    for accessKeyId in $(aws iam list-access-keys --user-name $username --query 'AccessKeyMetadata[*].AccessKeyId' --output text); do
        if [ "$accessKeyToSearch" = "$accessKeyId" ]; then
            echo $username;
            break;
        fi;
    done;
done;

You can see also script in my GitHub Gist: https://gist.github.com/cauealvesbraz/1121c0a0375648db13b137b31ef8955d

Answer 8

You can list all access keys by the following command:

aws iam list-access-keys

then you can grep it by the user.

To list just a keys, try (increase 100 if you've more users):

while read meta key date status user; do
  echo $key;
done < <(aws iam list-access-keys --output text --page-size 100)

Answer 9

If you don't have access to your account's primary access key, but you do have an access key with sufficient access to IAM, you can enumerate all the users in the account and then list the access keys for each of them. For example:

for user in $(aws iam list-users --output text | awk '{print $NF}'); do
    aws iam list-access-keys --user $user --output text
done

Answer 10

You can use the AWS command line interface to enumerate all access keys for a particular account.

The steps are shown here with a few examples.

If you don't specify an IAM user-name and are using your account's primary access key to trigger the request, it should list all those associated with your AWS account.