Download and inspect the IAM credential report
📑 On this page
Part 124 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
The report helps identify password use, MFA state, active access keys, key age, and root-account credential posture.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
aws iam get-credential-report \
--query Content \
--output text |
base64 --decode > credential-report.csvIAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
head -n 5 credential-report.csvReview columns such as mfa_active, access_key_1_active, key rotation dates, and password usage. Handle the file as sensitive.
One tiny variation
awk -F, 'NR==1 || $8=="false" {print $1 "," $8}' credential-report.csvColumn positions can change with your chosen query. Read the CSV header before building automation.
Common mistake
Do not equate credential-report values with complete access activity. Roles, federation, Identity Center, and service-specific credentials require other evidence.
Cleanup
rm credential-report.csvRemove the local report after completing the approved audit workflow.
Next, we will learn Clean up IAM users groups roles and policies.