- Newest
- Most votes
- Most comments
UPDATE - specifically regarding KMS Keys - there is no ability to use the kms:ListKeys action from another AWS Account. I'm not aware of anything similar to the IAM credential report for KMS.
The following helps with IAM credentials:
You can generate a credential report for a single AWS account which will list out all credentials in a specific account: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
To do this at scale we have a blog post with corresponding templates to generate this across all your accounts: https://aws.amazon.com/blogs/infrastructure-and-automation/automate-iam-credential-reports-at-scale-across-aws/
This will also include details of when a key was last used – you’re likely also interested in where it was last used. Querying CloudTrail with Athena is a good next step for digging deeper: https://aws.amazon.com/premiumsupport/knowledge-center/athena-tables-search-cloudtrail-logs/
Relevant content
- asked a year ago
- Accepted Answer
- asked 5 years ago
- Accepted Answerasked 9 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
Is it possible to have a single master level credential through which we can query the resources of all the child accounts in an AWS Organization account?