Generate credential reports for your Amazon Web Services account - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Generate credential reports for your Amazon Web Services account

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the Amazon Web Services Management Console, the Amazon SDKs and Command Line Tools, or the IAM API.

You can use credential reports to assist in your auditing and compliance efforts. You can use the report to audit the effects of credential lifecycle requirements, such as password and access key updates. You can provide the report to an external auditor, or grant permissions to an auditor so that he or she can download the report directly.

You can generate a credential report as often as once every four hours. When you request a report, IAM first checks whether a report for the Amazon Web Services account has been generated within the past four hours. If so, the most recent report is downloaded. If the most recent report for the account is older than four hours, or if there are no previous reports for the account, IAM generates and downloads a new report.

Required permissions

The following permissions are needed to create and download reports:

  • To create a credential report: iam:GenerateCredentialReport

  • To download the report: iam:GetCredentialReport

Understanding the report format

Credential reports are formatted as comma-separated values (CSV) files. You can open CSV files with common spreadsheet software to perform analysis, or you can build an application that consumes the CSV files programmatically and performs custom analysis.

The CSV file contains the following columns:

user

The friendly name of the user.

arn

The Amazon Resource Name (ARN) of the user. For more information about ARNs, see IAM ARNs.

user_creation_time

The date and time when the user was created, in ISO 8601 date-time format.

password_enabled

When the user has a password, this value is TRUE. Otherwise it is FALSE.

password_last_used

The date and time when the Amazon Web Services account root user or user's password was last used to sign in to an Amazon website, in ISO 8601 date-time format. Amazon websites that capture a user's last sign-in time are the Amazon Web Services Management Console, the Amazon Discussion Forums, and the Amazon Marketplace. When a password is used more than once in a 5-minute span, only the first use is recorded in this field.

  • The value in this field is no_information in these cases:

    • The user's password has never been used.

    • There is no sign-in data associated with the password, such as when user's password has not been used after IAM started tracking this information on October 20, 2014.

  • The value in this field is N/A (not applicable) when the user does not have a password.

Important

Due to a service issue, password last used data does not include password use from May 3rd 2018 22:50 PDT to May 23rd 2018 14:08 PDT. This affects last sign-in dates shown in the IAM console and password last used dates in the IAM credential report, and returned by the GetUser API operation. If users signed in during the affected time, the password last used date that is returned is the date the user last signed in before May 3rd 2018. For users that signed in after May 23rd 2018 14:08 PDT, the returned password last used date is accurate.

If you use password last used information to identify unused credentials for deletion, such as deleting users who did not sign in to Amazon in the last 90 days, we recommend that you adjust your evaluation window to include dates after May 23rd 2018. Alternatively, if your users use access keys to access Amazon programmatically you can refer to access key last used information because it is accurate for all dates.

password_last_changed

The date and time when the user's password was last set, in ISO 8601 date-time format. If the user does not have a password, the value in this field is N/A (not applicable).

password_next_rotation

When the account has a password policy that requires password rotation, this field contains the date and time, in ISO 8601 date-time format, when the user is required to set a new password. The value for the Amazon Web Services account (root) is always not_supported.

mfa_active

When a multi-factor authentication (MFA) device has been enabled for the user, this value is TRUE. Otherwise it is FALSE.

access_key_1_active

When the user has an access key and the access key's status is Active, this value is TRUE. Otherwise it is FALSE. Applies to both account root user and IAM users.

access_key_1_last_rotated

The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable). Applies to both account root user and IAM users.

access_key_1_last_used_date

The date and time, in ISO 8601 date-time format, when the user's access key was most recently used to sign an Amazon API request. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users.

The value in this field is N/A (not applicable) in these cases:

  • The user does not have an access key.

  • The access key has never been used.

  • The access key has not been used after IAM started tracking this information on April 22, 2015.

access_key_1_last_used_region

The Amazon Region in which the access key was most recently used. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users.

The value in this field is N/A (not applicable) in these cases:

  • The user does not have an access key.

  • The access key has never been used.

  • The access key was last used before IAM started tracking this information on April 22, 2015.

  • The last used service is not Region-specific, such as Amazon S3.

access_key_1_last_used_service

The Amazon service that was most recently accessed with the access key. The value in this field uses the service's namespace—for example, s3 for Amazon S3 and ec2 for Amazon EC2. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users.

The value in this field is N/A (not applicable) in these cases:

  • The user does not have an access key.

  • The access key has never been used.

  • The access key was last used before IAM started tracking this information on April 22, 2015.

access_key_2_active

When the user has a second access key and the second key's status is Active, this value is TRUE. Otherwise it is FALSE. Applies to both account root user and IAM users.

Note

Users can have up to two access keys, to make rotation easier by updating the key first and then deleting the previous key. For more information about updating access keys, see Update access keys.

access_key_2_last_rotated

The date and time, in ISO 8601 date-time format, when the user's second access key was created or last updated. If the user does not have a second active access key, the value in this field is N/A (not applicable). Applies to both account root user and IAM users.

access_key_2_last_used_date

The date and time, in ISO 8601 date-time format, when the user's second access key was most recently used to sign an Amazon API request. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users.

The value in this field is N/A (not applicable) in these cases:

  • The user does not have a second access key.

  • The user's second access key has never been used.

  • The user's second access key was last used before IAM started tracking this information on April 22, 2015.

access_key_2_last_used_region

The Amazon Region in which the user's second access key was most recently used. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users. The value in this field is N/A (not applicable) in these cases:

  • The user does not have a second access key.

  • The user's second access key has never been used.

  • The user's second access key was last used before IAM started tracking this information on April 22, 2015.

  • The last used service is not Region-specific, such as Amazon S3.

access_key_2_last_used_service

The Amazon service that was most recently accessed with the user's second access key. The value in this field uses the service's namespace—for example, s3 for Amazon S3 and ec2 for Amazon EC2. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. Applies to both account root user and IAM users. The value in this field is N/A (not applicable) in these cases:

  • The user does not have a second access key.

  • The user's second access key has never been used.

  • The user's second access key was last used before IAM started tracking this information on April 22, 2015.

cert_1_active

When the user has an X.509 signing certificate and that certificate's status is Active, this value is TRUE. Otherwise it is FALSE.

cert_1_last_rotated

The date and time, in ISO 8601 date-time format, when the user's signing certificate was created or last changed. If the user does not have an active signing certificate, the value in this field is N/A (not applicable).

cert_2_active

When the user has a second X.509 signing certificate and that certificate's status is Active, this value is TRUE. Otherwise it is FALSE.

Note

Users can have up to two X.509 signing certificates, to make certificate rotation easier.

cert_2_last_rotated

The date and time, in ISO 8601 date-time format, when the user's second signing certificate was created or last changed. If the user does not have a second active signing certificate, the value in this field is N/A (not applicable).

Getting credential reports (console)

You can use the Amazon Web Services Management Console to download a credential report as a comma-separated values (CSV) file.

To download a credential report (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Credential report.

  3. Choose Download Report.

Getting credential reports (Amazon CLI)

To download a credentials report (Amazon CLI)
  1. Generate a credentials report. Amazon stores a single report. If a report exists, generating a credentials report overwrites the previous report. aws iam generate-credential-report

  2. View the last report that was generated: aws iam get-credential-report

Getting credential reports (Amazon API)

To download a credentials report (Amazon API)
  1. Generate a credentials report. Amazon stores a single report. If a report exists, generating a credentials report overwrites the previous report. GenerateCredentialReport

  2. View the last report that was generated: GetCredentialReport