How to Rotate AWS IAM User Access Keys

How to Rotate IAM User Access Keys

Remediation Steps:

AWS Console:
  • Sign in to the AWS Management Console.
  • Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/
  • In the left navigation panel, choose Users.
  • Click on the IAM user name that you want to examine.
  • On the IAM user configuration page, select Security Credentials tab.
  • Click Create Access Key to create a new set of access keys that will replace the old ones.
  • In the Create Access Key dialog box, click Download Credentials to save the newly created access key ID and secret access key to a CSV file on your machine. (!) IMPORTANT: AWS IAM will not provide access to the new secret access key again once the Create Access Key dialog box closes so make sure you save your credentials in a safe location on your machine.
  • Click Close to close the dialog box and return to the configuration page. The IAM user should have now two active access keys.
  • Now update your application(s) code and replace the existing access key ID and secret access key with the new ones. Test your application(s) to make sure that the new access key pair is working.

  1. Once the new key is validated, return to the IAM user configuration page, select the outdated (previous) key and click Make Inactive:
  1. In the Change Key Status confirmation box, click Deactivate to deactivate the selected key. The access key status should change from Active to Inactive. (!) IMPORTANT: Cloud Conformity strongly recommends waiting a few days before going forward with the next step in order to ensure that the original (outdated) key is no longer used by your application(s).
  2. Once you are sure that the application(s) is/are no longer using the original key, return to the IAM user configuration page and remove the key by clicking the Delete:
  3. In the Delete Access Key confirmation box, click Delete to remove the selected key
  1. Repeat steps no. 4 – 13 for each outdated (older than 90 days) IAM access key, available in your AWS account.

Using the AWS CLI:

  1. Run list-access-keys command (OSX/Linux/UNIX) using the IAM user name that has outdated access keys (see Audit section), to create a new AWS secret access key and corresponding access key ID for the selected user:

aws iam create-access-key
--user-name web-developer
  1. The command output should return the new IAM access key information. Select and copy SecretAccessKey and AccessKeyId values representing secret access key and access key ID in a safe text file on your machine:
{
"AccessKey": {
"UserName": "web-developer",
"Status": "Active",
"CreateDate": "2016-05-16T18:24:03.403Z",
"SecretAccessKey": "RTF+IxK9GIgRv3TtjRf220vfReJ9Zjhkr5yqj/gV",
"AccessKeyId": "AAAABBBBCCCCDDDDEEEE"
}
}
  1. Update your application(s) code and replace the previous access key ID and secret access key with the new ones created at the previous step. Test your application(s) to make sure that the new access key is working.
  2. Run update-access-key command (OSX/Linux/UNIX) using the IAM user name and its outdated access key ID as CLI command parameters to deactivate the key. The following example deactivates an access key with the ID AAAABBBBCCCCDDDDEEEE for an IAM user with the name web-developer (the command does not produce any output):
aws iam update-access-key
--access-key-id AAAABBBBCCCCDDDDEEEE
--status Inactive
--user-name web-developer
  1. Run get-access-key-last-used command (OSX/Linux/UNIX) using the outdated key ID as parameter to determine when the specified access key was last used. (!) IMPORTANT: Cloud Conformity strongly recommends waiting few days before going forward with the next step to ensure that the original (outdated) key is no longer used by your application(s):
aws iam get-access-key-last-used
--access-key-id AAAABBBBCCCCDDDDEEEE
  1. The command output should return the date and time of last use (highlighted), the AWS region and the service that used the key last time:
{
"UserName":  "web-developer",
"AccessKeyLastUsed": {
"Region": "us-east-1",
"ServiceName": "iam",
"LastUsedDate": "2016-05-16T20:41:00Z"
}
}
  1. Run delete-access-key command (OSX/Linux/UNIX) to remove the outdated (deactivated) access key pair for the selected IAM user. The following command example removes an access key with the ID AAAABBBBCCCCDDDDEEEE for an IAM user with the name web-developer (if successful, the command does not return any output):
aws iam delete-access-key
--access-key AAAABBBBCCCCDDDDEEEE
--user-name web-developer
  1. Repeat steps no. 1 – 7 for each outdated (older than 90 days) IAM access key pairs, available in your AWS account.