Query: iam_user_one_active_key

select
  u.arn as resource,
  case
    when count(distinct k.access_key_id) > 1 then 'alarm'
    else 'ok'
  end as status,
  u.arn || ' has ' || count(distinct k.access_key_id) || ' active access key(s).' as reason,
  u.account_id
  
  , u.account_id
from
  aws_iam_user as u
  left join aws_iam_access_key as k 
    on k.akas::text like '%' || u.arn || '%'  -- convert jsonb to text and check if arn exists
where
  k.status = 'active'
  or k.status is null
group by
  u.arn, u.account_id, u.tags, u._ctx;