AWS IAM Credential Report & Access Key Metadata
Location
AWS IAM > Credential report plus IAM API responses for users and access keysDescription
IAM credential reporting data covering password status, MFA state, access key age, credential rotation status, and last-used timestamps. Supplemented by access-key metadata and last-used lookups for each IAM user.
Forensic Value
IAM credential data exposes long-lived access paths that attackers prefer because they survive instance rebuilds and password resets. The report highlights dormant privileged users, keys that never rotate, accounts without MFA, and access keys that became active during the compromise window. It is critical for confirming which identities require emergency rotation and which old credentials may have supported persistence.
Tools Required
Collection Commands
AWS CLI
aws iam get-credential-report --output text --query Content | base64 --decode > iam_credential_report.csv
AWS CLI
for user in $(aws iam list-users --query "Users[].UserName" --output text); do aws iam list-access-keys --user-name "$user" > "iam_access_keys_${user}.json"; doneAWS CLI
aws iam get-access-key-last-used --access-key-id <access-key-id> > iam_access_key_last_used.json
Collection Constraints
- •The credential report is a point-in-time administrative snapshot and must be paired with CloudTrail for actual use history and sequencing.
- •It only covers IAM users and keys, not every temporary or federated credential path used in the environment.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.