list_old_access_keys
Identify AWS IAM access keys exceeding a specified age threshold to help maintain security by detecting potentially unused credentials.
Instructions
Lists access keys older than 90 days (or specified days).
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| days | No | Number of days threshold (default: 90). |
Implementation Reference
- src/index.ts:358-370 (registration)Registers the 'list_old_access_keys' tool, including its schema for input validation (optional 'days' parameter).{ name: "list_old_access_keys", description: "Lists access keys older than 90 days (or specified days).", inputSchema: { type: "object", properties: { days: { type: "number", description: "Number of days threshold (default: 90)." } } } },
- src/index.ts:1164-1201 (handler)Executes the tool logic: iterates over IAM users, lists their access keys using IAMClient, filters active keys older than threshold, computes days old, returns JSON list.if (name === "list_old_access_keys") { const days = (args as any)?.days || 90; const thresholdDate = new Date(Date.now() - days * 24 * 60 * 60 * 1000); const listCmd = new ListUsersCommand({}); const listResp = await iamClient.send(listCmd); const users = listResp.Users || []; const oldKeys = []; for (const user of users) { if (!user.UserName) continue; try { const keysCmd = new ListAccessKeysCommand({ UserName: user.UserName }); const keysResp = await iamClient.send(keysCmd); if (keysResp.AccessKeyMetadata) { for (const key of keysResp.AccessKeyMetadata) { if (key.CreateDate && key.CreateDate < thresholdDate && key.Status === "Active") { oldKeys.push({ UserName: user.UserName, AccessKeyId: key.AccessKeyId, CreateDate: key.CreateDate, Status: key.Status, DaysOld: Math.floor((Date.now() - key.CreateDate.getTime()) / (1000 * 60 * 60 * 24)) }); } } } } catch (err) { // Ignore } } return { content: [{ type: "text", text: JSON.stringify(oldKeys, null, 2) }] }; }