← All posts
2 min read

Download and inspect the IAM credential report

#aws#cli#iam#security#identity#audit
📑 On this page

Part 124 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

The report helps identify password use, MFA state, active access keys, key age, and root-account credential posture.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws iam get-credential-report \
  --query Content \
  --output text |
  base64 --decode > credential-report.csv

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

head -n 5 credential-report.csv

Review columns such as mfa_active, access_key_1_active, key rotation dates, and password usage. Handle the file as sensitive.

One tiny variation

awk -F, 'NR==1 || $8=="false" {print $1 "," $8}'   credential-report.csv

Column positions can change with your chosen query. Read the CSV header before building automation.

Common mistake

Do not equate credential-report values with complete access activity. Roles, federation, Identity Center, and service-specific credentials require other evidence.

Cleanup

rm credential-report.csv

Remove the local report after completing the approved audit workflow.

Next, we will learn Clean up IAM users groups roles and policies.

Official AWS CLI reference