🔒 Send Slack alerts for AWS IAM access keys older than 365 days

⚡ 226 views · 🔒 SecOps & Security Automation

Description

Weekly Scheduler — triggers the workflow on a recurring basis.
Get Many Users — fetches all IAM users in the AWS account.
Get User Access Key(s) — retrieves the access keys associated with each user.
Filter Out Inactive Keys — removes keys that are not active (e.g., status Inactive).
Access Key Older Than 365 Days — checks the key creation date and flags keys older than one year.
Send Slack Message — notifies a Slack channel with details of the outdated key(s) for review and action.
No Operation — safely ends the workflow if no keys match the condition.

Configure the Weekly Scheduler to run at your desired cadence (e.g., every Monday).
Use Get Many Users to list all IAM users.
For each user, call ListAccessKeys (Get User Access Key(s)) to fetch their key metadata.
Apply a filter to keep only keys with status Active.
Add a condition to compare CreateDate against today - 365 days.
Send results to Slack using the Slack Post Message node.

n8n (latest version).
AWS credential in n8n configured for us-east-1 (IAM requires signing with this region).
IAM permissions:
- iam:ListUsers
- iam:ListAccessKeys
Slack bot credentials with permission to post messages in the desired channel.

Change threshold — adjust the 365 days condition to 90, 180, or any other rotation policy.
Escalation — mention @security or create a Jira/Ticket when old keys are found.
Logging — push flagged results into a Google Sheet, database, or log management system for audit.
Automation — instead of only notifying, add a step to automatically deactivate keys older than the threshold (after approval).
Multi-account support — duplicate or loop across multiple AWS credentials if you manage several AWS accounts.

HTTP Request, Slack, Schedule Trigger, Filter, AWS IAM

Download workflow.json and import into n8n: Workflow menu → Import from File