Access Keys Rotation
Security best practice IAM access keys rotation
It is recommended to rotate IAM access keys for security best practice. AWS makes key rotation and application management very easy. The following steps are taken from AWS Documentation.
Changing access keys (which consist of an access key ID and a secret access key) on a regular schedule is a well-known security best practice because it shortens the period an access key is active and therefore reduces the business impact if they are compromised. Having an established process that is run regularly also ensures the operational steps around key rotation are verified.
To rotate access keys, you should follow these steps:
Create a second access key in addition to the one in use.
Update all your applications to use the new access key and validate that the applications are working.
Change the state of the previous access key to inactive.
Validate that your applications are still working as expected.
Delete the inactive access key.
Key Rotation Example
Here’s an example of the key rotation steps listed above. You are an administrative IAM user and will use the AWS Command Line Interface (CLI) to rotate access keys for a single user, Vehicle1. The CLI uses IAM APIs, so the same steps can be performed programmatically via the AWS SDK, or using the web-based UI of the IAM Management Console like we showed in a previous post. Because keys are considered sensitive information, you should perform all of these commands only on a trusted computer.
After installing the CLI, run the following command to see what Vehicle1 access keys are:
The command returns something like this:
Step 1: Create a second access key
Create a new (second) access key for Testdriver1 using this command:
This returns:
Notice that AWS IAM commands use unique access key identifiers (AKIDs) to refer to individual access keys. You can use the AKIDs to identify and manage the access keys your application uses. Key creation is the only time AWS will expose the secret associated with the access key in clear text. Record it and store it securely.
Now Testdriver1 has two active access keys. Note that AWS only allows for two keys per user. If you already have two active access keys, you will not be able to create a third one.
Listing the keys using the list-access-keys command shows both keys:
Step 2: Distribute your access key to all instances of your applications
After creating the new key, you will distribute it and instruct your application to transition to using it. Before moving on to the next step, ensure that all instances of your application are indeed using it and that they function correctly.
Step 3: Change the state of the previous access key to inactive.
Disable the old access key using this command:
To verify that the key has been disabled, use this command to list the active and inactive keys for Testdriver1:
You’ll see something like this:
Step 4: Validate that your application is still working as expected
Once the key has been marked inactive, it cannot be used for authenticating AWS service API calls; therefore, you should verify at this point that your application still works. That’s why we just disabled the old access key first: if something were to go wrong, you could quickly re-enable the previous access key using the AWS IAM update-access-key command.
Step 5: Delete the inactive access key.
The last step is deleting the inactive access key by using this command:
Note that the deleting action – unlike disabling the access key – is an irreversible operation. After deletion completes, an access key is no longer available. You can list Vehicle1 access keys again to confirm that you removed the old access key:
The old access key is gone from the results:
For more information on access keys and rotation procedures, please visit the AWS IAM documentation.
Last updated