> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/aws/aws_has_access_key.md). # AWS\_HAS\_ACCESS\_KEY ## Summary | | | | ------------------------------ | -------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AWS\_HAS\_ACCESS\_KEY | | **Edge Type** | Relationship | | **Affected Object Types** | IAM Users, Access Keys | | **Exploitation Certainty** | Unlikely | | **AWS IAM Action / Condition** | Relationship visibility via `iam:ListAccessKeys`; key usage context via `iam:GetAccessKeyLastUsed` | ## Description `AWS_HAS_ACCESS_KEY` represents that an IAM user has one or more API access keys. This edge is a credential-surface relationship, not a direct exploit primitive. Its security relevance is high for exposure and persistence analysis because long-term access keys can be abused if: * The key is leaked. * The key remains active for too long. * Monitoring and rotation controls are weak. This edge often supports risk analysis together with [`AWS_CAN_CREATE_ACCESS_KEY`](https://docs.forestall.io/fsprotect/edges/aws/aws_can_create_access_key) and [`AWS_CAN_DELETE_ACCESS_KEY`](https://docs.forestall.io/fsprotect/edges/aws/aws_can_delete_access_key). ## Identification ### AWS CLI List keys for one user: ```bash aws iam list-access-keys --user-name TargetUser ``` Get last-used context for a key: ```bash aws iam get-access-key-last-used --access-key-id AKIAEXAMPLEKEYID ``` Enumerate all users with keys: ```bash for u in $(aws iam list-users --query 'Users[].UserName' --output text); do aws iam list-access-keys --user-name "$u" \ --query "AccessKeyMetadata[].{User:'$u',AccessKeyId:AccessKeyId,Status:Status,CreateDate:CreateDate}" \ --output table done ``` ### AWS Console * Open **IAM** -> **Users** -> select user. * Open **Security credentials**. * Review access key IDs, status, and age. ## Exploitation There is no direct exploit path for this edge by itself. `AWS_HAS_ACCESS_KEY` indicates a credential exists; exploitability depends on whether the credential is compromised or can be replaced/managed by an attacker. ## Mitigation * Remove unused access keys and disable inactive keys quickly. * Enforce rotation and key age thresholds. * Prefer temporary credentials from roles instead of long-term user keys. * Alert on old active keys and high-risk usage locations. ## Detection Monitor CloudTrail for lifecycle events: * `CreateAccessKey` * `UpdateAccessKey` * `DeleteAccessKey` Track anomalous API usage by key ID and compare with known baseline behavior. ## References * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/aws/aws_has_access_key.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.