← All posts
2 min read

Deactivate and reactivate an IAM access key

#aws#cli#iam#security#identity#credentials
📑 On this page

Part 121 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Deactivation is a reversible test during rotation or incident response. Deletion is permanent.

Before you run it

USER_NAME="aws-zero-learner"
ACCESS_KEY_ID="replace-with-key-id"

Identify every workload using the key and prepare rollback before changing a production credential.

The command

aws iam update-access-key \
  --user-name "$USER_NAME" \
  --access-key-id "$ACCESS_KEY_ID" \
  --status Inactive

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam list-access-keys \
  --user-name "$USER_NAME" \
  --query "AccessKeyMetadata[?AccessKeyId=='$ACCESS_KEY_ID'].Status | [0]" \
  --output text

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam update-access-key \
  --user-name "$USER_NAME" \
  --access-key-id "$ACCESS_KEY_ID" \
  --status Active

Reactivate only when rollback is necessary and the key has not been exposed.

Common mistake

Do not leave an unexplained inactive key forever. Either complete rotation and delete it or document why rollback remains necessary.

Cleanup

aws iam update-access-key \
  --user-name "$USER_NAME" \
  --access-key-id "$ACCESS_KEY_ID" \
  --status Inactive

Leave the demo key inactive and delete it after the rotation lesson.

Next, we will learn Rotate an IAM access key with overlap.

Official AWS CLI reference