Deactivate and reactivate an IAM access key
📑 On this page
Part 121 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
Deactivation is a reversible test during rotation or incident response. Deletion is permanent.
Before you run it
USER_NAME="aws-zero-learner"
ACCESS_KEY_ID="replace-with-key-id"Identify every workload using the key and prepare rollback before changing a production credential.
The command
aws iam update-access-key \
--user-name "$USER_NAME" \
--access-key-id "$ACCESS_KEY_ID" \
--status InactiveIAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam list-access-keys \
--user-name "$USER_NAME" \
--query "AccessKeyMetadata[?AccessKeyId=='$ACCESS_KEY_ID'].Status | [0]" \
--output textRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam update-access-key \
--user-name "$USER_NAME" \
--access-key-id "$ACCESS_KEY_ID" \
--status ActiveReactivate only when rollback is necessary and the key has not been exposed.
Common mistake
Do not leave an unexplained inactive key forever. Either complete rotation and delete it or document why rollback remains necessary.
Cleanup
aws iam update-access-key \
--user-name "$USER_NAME" \
--access-key-id "$ACCESS_KEY_ID" \
--status InactiveLeave the demo key inactive and delete it after the rotation lesson.
Next, we will learn Rotate an IAM access key with overlap.