diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws/backend_test.go
index e49f0787fa..4e92c17300 100644
--- a/builtin/credential/aws/backend_test.go
+++ b/builtin/credential/aws/backend_test.go
@@ -371,6 +371,17 @@ func TestBackend_TidyIdentities(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	expiredIdentityWhitelist := &whitelistIdentity{
+		ExpirationTime: time.Now().Add(-1 * 24 * 365 * time.Hour),
+	}
+	entry, err := logical.StorageEntryJSON("whitelist/identity/id1", expiredIdentityWhitelist)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := storage.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
 	// test update operation
 	_, err = b.HandleRequest(context.Background(), &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -380,6 +391,17 @@ func TestBackend_TidyIdentities(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	// let tidy finish in the background
+	time.Sleep(1 * time.Second)
+
+	entry, err = storage.Get(context.Background(), "whitelist/identity/id1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if entry != nil {
+		t.Fatal("wl tidy did not remove expired entry")
+	}
 }
 
 func TestBackend_TidyRoleTags(t *testing.T) {
@@ -397,6 +419,17 @@ func TestBackend_TidyRoleTags(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	expiredIdentityWhitelist := &roleTagBlacklistEntry{
+		ExpirationTime: time.Now().Add(-1 * 24 * 365 * time.Hour),
+	}
+	entry, err := logical.StorageEntryJSON("blacklist/roletag/id1", expiredIdentityWhitelist)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := storage.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
 	// test update operation
 	_, err = b.HandleRequest(context.Background(), &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -406,6 +439,17 @@ func TestBackend_TidyRoleTags(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	// let tidy finish in the background
+	time.Sleep(1 * time.Second)
+
+	entry, err = storage.Get(context.Background(), "blacklist/roletag/id1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if entry != nil {
+		t.Fatal("bl tidy did not remove expired entry")
+	}
 }
 
 func TestBackend_ConfigClient(t *testing.T) {
diff --git a/builtin/credential/aws/path_tidy_identity_whitelist.go b/builtin/credential/aws/path_tidy_identity_whitelist.go
index 2ff035b8d9..a8e7c98d30 100644
--- a/builtin/credential/aws/path_tidy_identity_whitelist.go
+++ b/builtin/credential/aws/path_tidy_identity_whitelist.go
@@ -33,7 +33,7 @@ expiration, before it is removed from the backend storage.`,
 }
 
 // tidyWhitelistIdentity is used to delete entries in the whitelist that are expired.
-func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage, safety_buffer int) (*logical.Response, error) {
+func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage, safetyBuffer int) (*logical.Response, error) {
 	if !atomic.CompareAndSwapUint32(b.tidyWhitelistCASGuard, 0, 1) {
 		resp := &logical.Response{}
 		resp.AddWarning("Tidy operation already in progress.")
@@ -48,7 +48,7 @@ func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage,
 
 		logger := b.Logger().Named("wltidy")
 
-		bufferDuration := time.Duration(safety_buffer) * time.Second
+		bufferDuration := time.Duration(safetyBuffer) * time.Second
 
 		doTidy := func() error {
 			identities, err := s.List(ctx, "whitelist/identity/")
@@ -76,7 +76,7 @@ func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage,
 				}
 
 				if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
-					if err := s.Delete(ctx, "whitelist/identity"+instanceID); err != nil {
+					if err := s.Delete(ctx, "whitelist/identity/"+instanceID); err != nil {
 						return errwrap.Wrapf(fmt.Sprintf("error deleting identity of instanceID %q from storage: {{err}}", instanceID), err)
 					}
 				}
diff --git a/builtin/credential/aws/path_tidy_roletag_blacklist.go b/builtin/credential/aws/path_tidy_roletag_blacklist.go
index 4eaafc22df..e84862f48c 100644
--- a/builtin/credential/aws/path_tidy_roletag_blacklist.go
+++ b/builtin/credential/aws/path_tidy_roletag_blacklist.go
@@ -33,7 +33,7 @@ expiration, before it is removed from the backend storage.`,
 }
 
 // tidyBlacklistRoleTag is used to clean-up the entries in the role tag blacklist.
-func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, safety_buffer int) (*logical.Response, error) {
+func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, safetyBuffer int) (*logical.Response, error) {
 	if !atomic.CompareAndSwapUint32(b.tidyBlacklistCASGuard, 0, 1) {
 		resp := &logical.Response{}
 		resp.AddWarning("Tidy operation already in progress.")
@@ -48,7 +48,7 @@ func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, s
 
 		logger := b.Logger().Named("bltidy")
 
-		bufferDuration := time.Duration(safety_buffer) * time.Second
+		bufferDuration := time.Duration(safetyBuffer) * time.Second
 
 		doTidy := func() error {
 			tags, err := s.List(ctx, "blacklist/roletag/")
@@ -76,7 +76,7 @@ func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, s
 				}
 
 				if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
-					if err := s.Delete(ctx, "blacklist/roletag"+tag); err != nil {
+					if err := s.Delete(ctx, "blacklist/roletag/"+tag); err != nil {
 						return errwrap.Wrapf(fmt.Sprintf("error deleting tag %q from storage: {{err}}", tag), err)
 					}
 				}