'Find the owner of an AWS Access Key

I have a service which uses an AWS Access Key to push stuff to S3. I am going to sunset the service and I have the AWS Access Key and Secret. However, I can't find this key in the IAM or security credentials for the account.

Is there a way to enumerate all the access keys for an entire AWS account?

security


Solution 1:[1]

If you don't have access to your account's primary access key, but you do have an access key with sufficient access to IAM, you can enumerate all the users in the account and then list the access keys for each of them. For example:

for user in $(aws iam list-users --output text | awk '{print $NF}'); do
    aws iam list-access-keys --user $user --output text
done

Solution 2:[2]

If you just want to find the owner of the Access Key ID, a more straightforward trick is just to use AWS CLI with the key id and key to access a random AWS service. AWS CLI will throw an Access Denied error which has full details of the owner info of the Access Key as shown below:

$ aws iam get-user


An error occurred (AccessDenied) when calling the GetUser operation: 
User: arn:aws:iam::xxxxxxx:user/xxxx is not authorized to perform: 
iam:GetUser on resource: user xxxxx

From the error message, you will have the account id, the user name.

If the user has permission to access IAM, you will get the full details of the user as below:

{
    "User": {
        "Path": "/",
        "UserName": "xxx",
        "UserId": "xxx",
        "Arn": "arn:aws:iam::75xxx:user/xxx",
        "CreateDate": "2019-09-10T07:10:26+00:00",
        "PasswordLastUsed": "2020-05-26T07:51:50+00:00"
    }
}

Update

A new command provided by AWS is here:

$ aws sts get-caller-identity


{
    "UserId": "AIDASYJLxxxxx",
    "Account": "18xxxxxxxxxx",
    "Arn": "arn:aws:iam::18xxxxxxxxx:user/xxxxxxx"
}

Solution 3:[3]

Reverse lookup in web console

In case you don't have the patience or confidence to create a script, it's easy to miss that you can do a reverse lookup to find the user who owns a certain key.

enter image description here

https://console.aws.amazon.com/iam/home?region=us-east-1#/users

Solution 4:[4]

I like the solution of Jonathan Kamens but the code returns a list of all keys and theirs owners.

I made a shell script for get the username by Access Key Id. Look:

#!/bin/bash

# exit when the command fails
set -o errexit;

# exit when try to use undeclared var
set -o nounset;

accessKeyToSearch=${1?"Usage: bash $0 AccessKeyId"}

for username in $(aws iam list-users --query 'Users[*].UserName' --output text); do
    for accessKeyId in $(aws iam list-access-keys --user-name $username --query 'AccessKeyMetadata[*].AccessKeyId' --output text); do
        if [ "$accessKeyToSearch" = "$accessKeyId" ]; then
            echo $username;
            break;
        fi;
    done;
done;

You can see also script in my GitHub Gist: https://gist.github.com/cauealvesbraz/1121c0a0375648db13b137b31ef8955d

Solution 5:[5]

To answer the question posed in the title "Find the owner of an AWS Access Key", check the owner, and therefore the existence of a key with:

aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID --query 'UserName' --output text

Note that it will return an exit code of zero if found, and non-zero if not. This was the approach suggested in a comment to the current accepted answer by @dols3m, and more details are in the docs for get-access-key-last-used.

To enumerate all keys in an account, do this:

for user in $(aws iam list-users --query 'Users[*].UserName' --output text); do
  aws iam list-access-keys --user $user --query "AccessKeyMetadata[].AccessKeyId" --output text
done

See the docs for list-users and list-access-keys for more info.

Solution 6:[6]

You can use the AWS command line interface to enumerate all access keys for a particular account.

The steps are shown here with a few examples.

If you don't specify an IAM user-name and are using your account's primary access key to trigger the request, it should list all those associated with your AWS account.

Solution 7:[7]

? aws --profile my-aws-account iam get-user
{
    "User": {
        "Path": "/",
        "UserName": "my-username",
        "UserId": XXXXXX",
        "Arn": "arn:aws:iam::000000000000:user/my-username",
        "CreateDate": "2019-10-27T08:53:53Z"
    }
}

aws iam get-user --query 'User.Arn'

Solution 8:[8]

You can list all access keys by the following command:

aws iam list-access-keys

then you can grep it by the user.

To list just a keys, try (increase 100 if you've more users):

while read meta key date status user; do
  echo $key;
done < <(aws iam list-access-keys --output text --page-size 100)

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Jonathan Kamens
Solution 2
Solution 3
Solution 4 Cau
Solution 5 harschware
Solution 6 Nikhil
Solution 7 Pierozi
Solution 8 kenorb

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application