Tracking IAM Access Key Usage Beyond "Last Used"

Question

Is there a way to get a deeper history of when an access key was used, and for what service it was used?

If a key was used in multiple places, I can't be sure deactivating it is safe just because I know the last place it was used.

Answer 1

Yes pretty much possible with AWS CloudTrail.
Have a look at below link

Logging IAM Events with AWS CloudTrail

Example CloudTrail event

{
  "eventVersion": "1.05",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDACKCEVSQ6C2EXAMPLE",
    "arn": "arn:aws:iam::444455556666:user/Alice",
    "accountId": "444455556666",
    "accessKeyId": "AKIAI44QH8DHBEXAMPLE",
    "userName": "Alice",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2014-07-15T21:39:40Z"
      }
    },
    "invokedBy": "signin.amazonaws.com"
  },
  "eventTime": "2014-07-15T21:40:14Z",
  "eventSource": "iam.amazonaws.com",
  "eventName": "GetUserPolicy",
  "awsRegion": "us-east-2",
  "sourceIPAddress": "signin.amazonaws.com",
  "userAgent": "signin.amazonaws.com",
  "requestParameters": {
    "userName": "Alice",
    "policyName": "ReadOnlyAccess-Alice-201407151307"
  },
  "responseElements": null,
  "requestID": "9EXAMPLE-0c68-11e4-a24e-d5e16EXAMPLE",
  "eventID": "cEXAMPLE-127e-4632-980d-505a4EXAMPLE"
} 

From above event information, you can determine that the request was made to get a user policy named ReadOnlyAccess-Alice-201407151307 for user Alice, as specified in the requestParameters element. You can also see that the request was made by an IAM user named Alice on July 15, 2014 at 9:40 PM (UTC). In this case, the request originated in the AWS Management Console, as you can tell from the userAgent element.