Filter for used or unused keys.
The default is unused but can be changed by using the state property.
policies: - name: unused-key-pairs resource: aws.key-pair filters: - unused - name: used-key-pairs resource: aws.key-pair filters: - type: unused state: false
properties: state: type: boolean type: enum: - unused required: - type
Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags
Delete all ec2 keys that are not in use
This should always be used with the unused filter and it will prevent you from using without it.
policies: - name: delete-unused-key-pairs resource: aws.key-pair filters: - unused actions: - delete
properties: type: enum: - delete required: - type
Permissions - ec2:DeleteKeyPair