🔐 AWS Inactive Key Rotation Check

╔══════════════════════════════════════════════════════════════════════════════╗
║                                                                              ║
║   ██████╗ ███████╗███████╗██╗     ██╗███╗   ██╗███████╗██╗  ██╗███████╗     ║
║   ██╔══██╗██╔════╝██╔════╝██║     ██║████╗  ██║██╔════╝██║  ██║██╔════╝     ║
║   ██████╔╝█████╗  ███████╗██║     ██║██╔██╗ ██║█████╗  ███████║███████╗     ║
║   ██╔══██╗██╔══╝  ╚════██╗██║     ██║██║╚██╗██║██╔══╝  ██╔══██║╚════██║     ║
║   ██║  ██║███████╗███████║███████╗██║██║ ╚████║███████╗██║  ██║███████║     ║
║   ╚═╝  ╚═╝╚══════╝╚══════╝╚══════╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝╚══════╝     ║
║                                                                              ║
║        I N A C T I V E   K E Y   R O T A T I O N   A U D I T   T O O L      ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝

📺 Demo

Run the tool in mock mode to see it in action—no AWS credentials required:

python audit_keys.py --mock

CLI Output (Mock Mode)

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃                        AWS IAM Access Key Audit Results                        ┃
┣━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━┫
┃ Username          ┃ Key ID              ┃ Age (Days) ┃ Last Used  ┃ Risk      ┃
┣━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━╋━━━━━━━━━━━━╋━━━━━━━━━━━┫
┃ svc-legacy-app    ┃ AKIA1111111111111111┃ 120        ┃ Never      ┃ CRITICAL  ┃
┃ dev-john-doe      ┃ AKIA2222222222222222┃ 200        ┃ 95         ┃ HIGH      ┃
┃ dev-jane-smith    ┃ AKIA3333333333333333┃ 150        ┃ 110        ┃ HIGH      ┃
┃ svc-backup-job    ┃ AKIA4444444444444444┃ 80         ┃ 60         ┃ MEDIUM    ┃
┃ dev-alice-wang    ┃ AKIA5555555555555555┃ 90         ┃ 50         ┃ MEDIUM    ┃
┃ dev-bob-jones     ┃ AKIA6666666666666666┃ 40         ┃ 35         ┃ LOW       ┃
┃ svc-deploy-prod   ┃ AKIA7777777777777777┃ 20         ┃ 5          ┃ COMPLIANT ┃
┃ dev-charlie-brown ┃ AKIA8888888888888888┃ 10         ┃ 2          ┃ COMPLIANT ┃
┃ admin-root        ┃ AKIA9999999999999999┃ 5          ┃ 1          ┃ COMPLIANT ┃
┗━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━┻━━━━━━━━━━━━┻━━━━━━━━━━━┛

Summary:
✅ COMPLIANT: 3 | ⚠️ LOW: 1 | 🟡 MEDIUM: 2 | 🔴 HIGH: 2 | 💀 CRITICAL: 1

✔ Reports successfully generated in the '/reports' directory.

JSON Report Sample

{
    "generated_at": "2026-03-19T13:25:56.862000+00:00",
    "total_keys_audited": 9,
    "keys": [
        {
            "username": "svc-legacy-app",
            "key_id": "AKIA1111111111111111",
            "status": "Active",
            "key_age_days": 120,
            "last_used_days_ago": null,
            "risk_level": "CRITICAL",
            "compliant": false,
            "remediation": "Deactivate key immediately. Delete after 7 days.",
            "compliance_controls": ["SOC2-CC6.1", "NIST-IA-4"]
        }
    ]
}

CSV Evidence Sample

username,key_id,status,key_age_days,last_used_days_ago,risk_level,compliant,controls,remediation
svc-legacy-app,AKIA1111111111111111,Active,120,Never,CRITICAL,False,"SOC2-CC6.1, NIST-IA-4",Deactivate key immediately. Delete after 7 days.
dev-john-doe,AKIA2222222222222222,Active,200,95,HIGH,False,"SOC2-CC6.1, NIST-IA-4",Deactivate key immediately. Rotate and notify key owner.

---

🚀 Why I Built This

I built this tool because I witnessed a real-world security gap that most organizations overlook: unused AWS access keys. During a recent cloud security assessment for a mid-sized company, I discovered that over 40% of their IAM access keys had never been used—or hadn't been used in months. Some dated back to former employees who had left the company years ago. These dormant keys represented a significant attack surface, yet there was no easy way to identify them at scale.

The trigger came when I tried to explain the findings to the client. I was manually pulling IAM user lists, checking each key's last-used date in the console, and trying to explain why a key that was "created but never used" was actually more dangerous than one that was used 6 months ago. The manual process was error-prone, time-consuming, and impossible to repeat for ongoing monitoring. The client needed something they could run weekly, produce audit-ready evidence for their SOC 2 audits, and integrate into their compliance workflow.

I designed this tool to solve that exact problem. It automates the entire IAM access key audit process, classifies risk based on industry-standard thresholds, maps findings directly to SOC 2 and NIST controls, and outputs evidence files that auditors love. I also added a mock mode so you can demonstrate the tool's capabilities without needing AWS credentials—perfect for portfolio presentations and technical interviews.

---

🎯 The Problem It Solves

Before (Manual Process)	After (This Tool)
Manually navigate AWS Console for each IAM user	One command scans all IAM users and keys
No standardized risk classification	5-tier risk classification (CRITICAL → COMPLIANT)
No compliance mapping	Auto-maps to SOC 2 CC6.1 and NIST IA-4
No audit evidence	Generates JSON + CSV reports instantly
Time-consuming (hours)	Fast execution (seconds)
Error-prone manual tracking	Consistent, repeatable results
No visual summary	Rich CLI table with color-coded risk levels

"The biggest security risk in cloud environments isn't sophisticated hackers—it's forgotten credentials. This tool makes forgotten credentials visible, actionable, and auditable."

---

🔧 How It Works

The tool follows a straightforward architecture: it connects to AWS IAM using boto3 (or uses mock data for testing), retrieves all IAM users and their access keys, calculates how long each key has been inactive, classifies the risk level based on predefined thresholds, maps findings to compliance controls, and outputs structured reports.

flowchart TD
    A[Start] --> B{Mock Mode?}
    B -->|Yes| C[Load Mock Data]
    B -->|No| D[Connect to AWS IAM via boto3]
    C --> E[List All IAM Users]
    D --> E
    E --> F[For Each User: List Access Keys]
    F --> G[Get Last Used Date per Key]
    G --> H[Calculate Inactivity Days]
    H --> I{Classify Risk Level}
    I -->|Never Used + >90 days| J[CRITICAL]
    I -->|>90 days inactive| K[HIGH]
    I -->|45-90 days| L[MEDIUM]
    I -->|30-45 days| M[LOW]
    I -->|<30 days| N[COMPLIANT]
    J --> O[Generate Rich CLI Table]
    K --> O
    L --> O
    M --> O
    N --> O
    O --> P[Output JSON Report]
    O --> Q[Output CSV Report]
    P --> R[End]
    Q --> R

    style J fill:#ff0000,color:#fff
    style K fill:#ff6600,color:#fff
    style L fill:#ffcc00,color:#000
    style M fill:#ffff00,color:#000
    style N fill:#00ff00,color:#000

Loading

In plain English: The script asks AWS "Hey, give me all your IAM users and their access keys." For each key, it asks "When was this key last used?" It then compares that date to today to see how many days of inactivity have passed. Based on how many days have passed, it assigns a risk level—more inactive time means higher risk. Finally, it prints a nice color-coded table on your screen and saves two files: one for auditors (JSON) and one for spreadsheets (CSV).

---

🛡️ Risk Classification Engine

This tool uses a five-tier risk classification system based on industry best practices and compliance requirements. Each level corresponds to a specific inactivity timeframe and includes recommended remediation actions.

Risk Level	Inactivity Threshold	Remediation Action
CRITICAL	Key was NEVER used AND is older than 90 days	Deactivate immediately. Delete after 7 days.
HIGH	Last used more than 90 days ago	Deactivate immediately. Rotate and notify owner.
MEDIUM	Last used 45–90 days ago	Schedule rotation. Warn key owner.
LOW	Last used 30–45 days ago	Monitor usage. Recommend upcoming rotation.
COMPLIANT	Used within the last 30 days	No action required.

pie title Risk Distribution (Example Audit)
    "COMPLIANT" : 33
    "LOW" : 11
    "MEDIUM" : 22
    "HIGH" : 22
    "CRITICAL" : 11

Loading

---

🔒 Security First

I built this tool with security at the forefront. Here are the key security considerations:

Read-Only IAM Policy (Recommended)

For production use, create an IAM user with read-only permissions specifically for this audit:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListAccessKeys",
                "iam:GetAccessKeyLastUsed"
            ],
            "Resource": "*"
        }
    ]
}

This policy only allows listing users, listing access keys, and checking last-used dates—no write or delete permissions.

Mock Mode for Safe Testing

The --mock flag lets you test the entire workflow without any AWS credentials. This is perfect for:

• Portfolio demonstrations
• Technical interviews
• CI/CD pipeline testing
• Learning the tool's behavior

No Secrets Stored

The tool never stores AWS secrets. It uses boto3's default credential chain (environment variables, config file, or IAM role). For the read-only policy above, you only need an Access Key ID and Secret Access Key with read permissions.

Report Sensitivity

Generated reports contain:

• IAM usernames
• Access key IDs (first 4 characters visible, rest masked in some outputs)
• Risk classifications
• Remediation recommendations

Recommendation: Add reports to .gitignore for production use:

reports/
*.json
*.csv

---

📋 Compliance Mapping

This tool maps security findings directly to two major compliance frameworks: SOC 2 and NIST SP 800-53.

What Are These Frameworks?

SOC 2 (Service Organization Control 2): A compliance framework that defines how organizations should manage customer data. It's designed for service organizations that store, process, or transmit customer data. SOC 2 has five "Trust Service Criteria": Security, Availability, Processing Integrity, Confidentiality, and Privacy. Auditors check that you have controls in place to protect data.

NIST SP 800-53: A publication by the National Institute of Standards and Technology that provides a catalog of security and privacy controls for federal information systems. Many private organizations adopt these controls as industry best practices. "IA-4" specifically covers identification and authentication management.

Control Mapping Table

Finding	SOC 2 Control	NIST Control	Description
Unused Access Keys	CC6.1	IA-4	CC6.1 requires logical access controls to protect against unauthorized disclosure. IA-4 requires proper management of identifiers (like access keys).
Inactive Keys	CC6.2	AC-2	CC6.2 covers access enforcement. AC-2 requires account management including removing access when no longer needed.
Key Rotation	CC6.1	IA-4	Both require periodic credential rotation to reduce risk from compromised keys.

---

💻 Tech Stack & Specs

Component	Technology	Purpose
Language	Python 3.10+	Core scripting
AWS SDK	boto3	AWS IAM API integration
CLI UI	rich	Color-coded table output
Data Format	JSON	Structured audit reports
Evidence Format	CSV	Spreadsheet-compatible evidence

Project File Tree

aws-key-rotation-lab/
├── audit_keys.py          # Main entry point
├── mock_data.py           # Mock IAM data for testing
├── risk_classifier.py     # Risk classification logic
├── report_generator.py    # JSON + CSV report generation
├── requirements.txt       # Python dependencies
└── README.md              # This file

reports/                   # Generated output (not in git)
├── key_audit_report.json
└── key_audit_report.csv

---

⚡ Quick Start

Step 1: Clone the Repository

git clone https://github.com/yourusername/aws-inactive-key-rotation.git
cd aws-inactive-key-rotation

Step 2: Create a Virtual Environment

python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

Step 3: Install Dependencies

pip install -r requirements.txt

Step 4: (Optional) Configure AWS Credentials

For live AWS scanning, set your credentials:

export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_DEFAULT_REGION="us-east-1"

Or use the AWS CLI: aws configure

Step 5: Run the Tool

Mock Mode (No AWS required):

python audit_keys.py --mock

Live Mode (Requires AWS credentials):

python audit_keys.py

Step 6: Review Reports

cat reports/key_audit_report.json
cat reports/key_audit_report.csv

---

🗺️ Roadmap

Status	Feature	Description
✅ Complete	Basic Key Audit	Scan all IAM users and their access keys
✅ Complete	Risk Classification	5-tier risk classification engine
✅ Complete	Compliance Mapping	SOC 2 CC6.1 and NIST IA-4 mapping
✅ Complete	JSON/CSV Reports	Structured audit evidence output
✅ Complete	Rich CLI Table	Color-coded terminal output
✅ Complete	Mock Mode	Offline testing without AWS
🔄 In Progress	Multi-Account Support	Scan multiple AWS accounts via Organizations
🔄 In Progress	Scheduled Execution	Lambda function deployment for automated scans
📅 Planned	Email Notifications	Send alerts for CRITICAL/HIGH findings
📅 Planned	Dashboard Integration	Export to Splunk, Sumo Logic, or custom dashboards
📅 Planned	API Mode	REST API for integration with GRC platforms
📅 Planned	Key Age Alerts	Warn when keys approach rotation deadlines
🎯 Stretch Goal	Auto-Remediation	Option to auto-deactivate non-compliant keys
🎯 Stretch Goal	SSO Integration	Support for AWS SSO/IAM Identity Center

---

👤 About the Author

I'm a GRC (Governance, Risk, and Compliance) professional passionate about cloud security and regulatory compliance. I built this tool to demonstrate practical automation skills for IAM security monitoring—something I saw as a gap in many organizations' compliance programs.

I specialize in SOC 2 audits, NIST framework implementation, and cloud security assessments. This project represents my ability to bridge the gap between security concepts and technical implementation—translating compliance requirements into working code that produces audit-ready evidence.

I believe automation is the future of GRC work. Manual compliance checking doesn't scale, and auditors need reproducible, consistent evidence. This tool is one example of how I'm applying that philosophy.

Let's connect! I'm always open to discussing cloud security, compliance automation, or GRC career opportunities.

• LinkedIn: linkedin.com/in/anandsundar96
• GitHub: github.com/anandsundar
• Email: anandsundar96@gmail.com

---

📄 License + Footer

MIT License

Copyright (c) 2026 Your Name

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

╔══════════════════════════════════════════════════════════════════════════════╗
║                                                                              ║
║   "Compliance is not a checkbox. It's a culture. Build the culture with      ║
║    tools that make security effortless."                                     ║
║                                                                              ║
║                              — Anand Sundar, GRC Engineer                    ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝