Add delete_access_key policy, enhance unused_access_key policy

[pragya811]

Type of change

Note: Fill x in []

• bug
• enhancement
• documentation
• dependencies

Description

1. Enable unused_access_key policy in action, set dry_run to 'no'.
2. Change days to take action from 90 to 180

For security reasons, all pull requests need to be approved first before running any automated CI

[ebattat]

UNUSED_ACCESS_KEY_DAYS = 90
DELETE_ACCESS_KEY_DAYS = 180

[pragya811]

changed to 90, For delete access key policy, will raise a separate PR

[ebattat]

ok thx

[ebattat]

@inntran, any comment ?

[inntran]

I wish we could move configurations from Python files to YAML. Other than that, we can not fix all code smells at this time, so let it be.

[pragya811]

Changes:

1. Added code changes for sending email reminders to users with inactive access keys. Between 80 - 90 days, the user will get 2 reminders to take action on the unused key. Keys > 120 days of age and inactive will be eligible for deletion as mentioned above.

2. Keys older than 90 days are deactivated (after any grace period) and tagged with UnusedAccessKeyNInactiveDate.

3. Deletion:
   Default: delete only inactive keys that have this policy’s tag and have been inactive for more than 120 days.
   With DELETE_INACTIVE_KEYS_WITHOUT_TAG=true: delete any inactive key older than 120 days, even without the tag.

[ebattat]

ADD .DS_Store to git ignore

[ebattat]

why we need to untag user ?

[pragya811]

After we delete the access keys, we will remove the tags 'UnusedAccessKey1InactiveDate', etc which we added to send email reminders.

[ebattat]

We should send email alert before deleting the access key

[pragya811]

Added the part about deletion for keys aged > 120 days in the email alert reminder before deactivation.

[ebattat]

Maybe we should mention that we will delete the access key after 120 days, if no key rotation is done.

[ebattat]

Unused Access Key Already Participates in Alerts in send_aggregated_alerts.py, why we need to send it separately ?

[pragya811]

send_aggregated_alerts.py sends alerts post deactivation (>90 days) based on Cleanup Days. Hence added a separate email alert to alert the user twice before UNUSED_ACCESS_KEY_REMINDER_DAYS.

[pragya811]

[UPDATE 9 March 2026]:

1. Created new policy, delete_access_key policy thereby separating the functionality from unused_access_key policy. Keys > 120 days age will be eligible for deletion.
2. With DELETE_INACTIVE_KEYS_WITHOUT_TAG=true: delete any inactive key older than 120 days, even without the tag. Default set to False.
3. Added internal grace period calculator instead of using CleanupDays tag since one single iam user can have upto 2 keys eligible for deletion/deactivation. Grace period begins post 90 days for deactivation and post 120 days for deletion upto DAYS_TO_TAKE_ACTION. User will get email alerts during this time informing of the necessary action and steps.
4. Included custom email alert for unused_access_key and delete_access_key policy.

TBD:
Enable configs for unsed_access_key and delete_access_key