Access Key ID for non-root IAM user


Hi Team - Can you let me know if the AWS mgmt and child account's root user or admin user can pull the access key ID for all the non-root IAM user ?

2 Answers
Accepted Answer

An AWS account root user does have all the permissions for accessing any resources within that account unless not denied explicitly. Resources, which support resource based policy such as S3 bucket, can be denied access to root user by setting up explicit deny in bucket policy within that account.

Root user can view non-root IAM user access keys as well. This is why it's always best practice to delete root user secret/access keys to avoid unintended access to broader set of resources.

Child account's root user's permissions can be limited by Service Control Policy(SCP), through SCP, you can dictate what are those actions which child account's root user can do or can not do.

Hope this helps.

Comment here if you have additional questions, happy to help.


profile pictureAWS
answered 9 months ago
profile pictureAWS
reviewed 9 months ago
  • Thanks. Do you have sample command to pull the list of access key ID from management account. so i dont need to log-on to each individual account and run the command,

  • AWS Organizations allows managing multiple accounts but it doesn't give root users automatic access to child accounts. With that said, you have two options, if this is going to be recurring task, then setup cross account IAM role, where from management account, you can access child account resources or you need to go to each account and generate the list.

    How I'd do it, if I'd have access to each account, set up CLI and iteratively run the following CLI command for each CLI profile:

    aws iam list-users --output text | awk '{print $NF}' aws iam list-access-keys --user <for_each_user_retrieved from above command> --output text

    This can be easily scripted and run for each CLI profile. Hope you find this helpful.

  • Does this help, or are you looking for something else?

  • Sorry for late reply. I have not checked the command but looks promising solution. hope i can post my comment here or ask new question on same topic, if require

  • Yes absolutely.



you can use the iam:ListAccessKeys API to list all access key ids for a user, check here for more information. So, by iterating over all users, you could list all access key ids in an account.

profile pictureAWS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions