Get-OldAccessTokens.sh

#!/bin/bash

# Number of days old an access key is allowed to be
ACCESS_KEY_MAX_AGE=90

# Get every user's username
users=`aws iam list-users | jq -r '.Users[] | .UserName'`

# Get the oldest Created Date that we can allow (now minus ACCESS_KEY_MAX_AGE days)
created_date_limit=`date -d "-$ACCESS_KEY_MAX_AGE days" +%s`

for user in $users ; do

    # Iterate through each user and retrieve their access keys
    rawkeys=`aws iam list-access-keys --user-name $user`

    keys=`echo $rawkeys | jq -r '.AccessKeyMetadata[] | .AccessKeyId'`

    for key in $keys; do
        thisKey=`echo $rawkeys | jq '.AccessKeyMetadata[] | select (.AccessKeyId=="'$key'")'`

        # Convert the CreateDate property to epoch date
        create_date=`echo $thisKey | jq -r '.CreateDate'`
        create_date_epoch=`date -d $create_date +%s`

        # If thet key was created BEFORE the limit (i.e. is less than), it's too old
        if (( $create_date_epoch < $created_date_limit)); then
            echo "$user:$key:old"
        else
            echo "$user:$key:good"
        fi

    done


done