Continuing with Boto: List IAM users having 90 days older Access keys

01 / Jul / 2015 by Vikash Jha 1 comments

AWS recommends to rotate your IAM user’s Access keys periodically. Sometime we create access keys for IAM user and keep using it. We forget to rotate the keys after a period of time, which is not considered as a good practice.

Recently, we came across a use case wherein we were supposed to rotate the access keys which were created 90 days ago. For this purpose, we needed all those access keys which were created before 90 days.

We thought to come up with a python script using boto which describes:

1) Access Key Creation Date: date on which access keys were created.
2) Username: user name associate with that keys.

Note: You can refer our previous blog to understand How to use boto library?


import datetime
import dateutil
import boto
from dateutil import parser
from boto import iam

users=conn.get_all_users() – datetime.timedelta(days=90)

print "————————————————————-"
print "Access Keys Created Date" + "\t\t" + "Username"
print "————————————————————-"

for user in users.list_users_response.users:


for keysCreatedDate in accessKeys.list_access_keys_response.list_access_keys_result.access_key_metadata:

if parser.parse(keysCreatedDate[‘create_date’]).date() <=

print(keysCreatedDate[‘create_date’]) + "\t\t" + user[‘user_name’]



You can download this scripts from our github profile AWS-Boto-Scripts.

Leave a comment if you have any questions regarding this article.


comments (1 “Continuing with Boto: List IAM users having 90 days older Access keys”)

Leave a Reply

Your email address will not be published. Required fields are marked *