I have an aws account with more than 1000 iam users. I need to rotate access / secret keys in an effective way.

0

I need to rotate keys every month. notification needs to be sent to users before rotating next key. like password expiry email which we receive usually also we need to store this keys aws account. so that specific user can login and can access only his keys

need suggestions on implementing this

asked 2 months ago184 views
3 Answers
2

Hi,

Why don't you use AWS KMS to do that: https://aws.amazon.com/kms/

  • it can manage automatic scheduled key rotation for you
  • given proper credendials given to your users, it's place for them to find their userid password when they forget it
  • A least privilege auth schema will allow you to make sure that only a given user will see its KMS-encrypted password. Not even you sysadmins needs to see it.
  • User can at any time decode the encrypted credentials to find the new value
  • you can set up some EventBridge event + automatic SNS notification email to tell them that password has been rotated

They can deccrypt their credentials directly from AWS console, or by using the CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html

Best

Didier

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 2 months ago
0

Hello,

You could use the AWS IAM Key Rotation repository [1] as a model. A set of CloudFormation templates will deploy a Python Lambda function that will automatically rotate your IAM Users' Access Keys every 90 days by default, which can be customized to 30 days as per your need. Amazon Simple Email Service (SES) is used to send notifications to the end-users.

[1] https://github.com/aws-samples/aws-iam-access-key-auto-rotation

AWS
answered 2 months ago
0

Several automation solutions, both provided by AWS and third-party vendors, are currently in place. Please evaluate and test them thoroughly. If necessary, you may modify these solutions to better suit your requirements before rolling them out.

Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager AWS IAM Access Key Rotation GitHub GitHub Action Rotate AWS Access Keys

You can use this solution, where you can encourage users to manage their IAM Access keys rotation by themselves : https://github.com/stefansundin/aws-rotate-key

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions