# Setting up an automated system to manage the access keys in the company's AWS account

* You can **generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices**.<br>

* When you request a report, **IAM first checks whether a report for the AWS account has been generated within the past four hours**.
  * **If so, the most recent report is downloaded**.
  * **If not, IAM generates and downloads a new report**.<br>

* **GenerateCredentialReport** - **Generates a credential report** for the AWS account.

* **GetCredentialReport** - **Retrieves a credential report** for the AWS account.

* **UpdateAccessKey** - **Changes the status of the specified access key** from Active to Inactive, etc.<br>

* Config has a managed rule called **`access-keys-rotated` that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge**.

  * However, you **still need to create a custom remediation action using Systems Manager Automation to disable the access keys**.

    * **Config will only monitor and notify you if there is a noncompliant key** in your account.

* For example, if you have to **automatically disable all IAM user access keys that are more than 90 days old:**
  * Develop a **Lambda function that calls the `GenerateCredentialReport` API** to generate the credential report.
  * Configure the **function to use `GetCredentialReport` API to download the report**.
  * **Parse the CSV file and check the keys with a `user_creation_time` of more than 90 days**.
  * **Disable the old access keys** using the **`UpdateAccessKey` API**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karansingh.gitbook.io/tutorialsdojo-wrong-answers-aws-sec-spec/incident-response-57/setting-up-an-automated-system-to-manage-the-access-keys-in-the-companys-aws-account.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.