Skip to content

IAM access key rotation

Language: English

IAM access key rotation

0

As a best practice, AWS recommends that you use AWS Identity and Access Management (IAM) roles instead of IAM users with long-term credentials such as access keys.

Topics: Security, Identity, & Compliance AWS Well-Architected Framework
Tags: AWS Identity and Access Management Security

AWS OFFICIALUpdated 3 years ago230 views

Rotate your IAM credentials

Access keys are long-term credentials for an IAM user. Regularly rotating your IAM credentials helps prevent a compromised set of IAM access keys from accessing components in your AWS account.

Managing access keys for IAM users

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API.

Update access keys when needed for use cases that require long-term credentials

It's a best practice to use the "IAM access last used information" to update and remove access keys safely.

Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager

The approach documented in this pattern is intended only for legacy implementations that require long-lived AWS API credentials.

Alternatives to long-term access keys

For many common use cases, there are alternatives to long-term access keys.

IAM Access Key Auto-rotation GitHub Sample

This set of AWS CloudFormation templates and Python scripts will set up an auto-rotation function that will automatically rotate your AWS IAM User Access Keys every 90 days.

How to Rotate Access Keys for IAM Users

This post walks you through the steps to rotate access keys for an IAM user.

Updating access keys

As a security best practice, we recommend that you update IAM user access keys when needed, such as when an employee leaves your company.

Digital training on IAM best practices

Review this section for courses on security best practices with respect to IAM.

Deep Dive with Security: AWS Identity and Access Management (IAM)

This self-paced course provides a deep dive into AWS Identity and Access Management (IAM) and best practices for using IAM policies.

Deep Dive with Security: AWS Identity and Access Management (IAM) (Includes Labs)

This course includes interactive content, videos, assessments, and exercises.

re:Post resources on access key rotation

Check out these re:Post resources on the subject.

How to automate access key rotation for IAM users

How to automate access key rotation for IAM users

How do I create a rotation function with an AWS Secrets Manager secret for an unsupported database?

How can I create an AWS Lambda function to rotate AWS Secrets Manager secrets for other databases or third-party services?

No comments

Relevant content

Credential Cleanup Procedure
EXPERT
Subu
published 7 months ago
Restricting IAM User Access by Source IP: SCP Implementation Guide
EXPERT
Purnaresa Y
published 7 months ago
Unlocking the Secrets of AWS Identity and Access Management
EXPERT
Giovanni Lauria
published 2 years ago
How to automate access key rotation for IAM users
rePost-User-7010889
asked 3 years ago
Allowing users to rotate their own IAM access key in a different environment using their AWS SSO account
rePost-User-9168878
asked 2 years ago
IAM Role / key rotation frequency
Accepted Answer
lraymond
asked 4 years ago
How do I rotate my access keys for an existing SES SMTP IAM user?
AWS OFFICIALUpdated 7 months ago
How do I securely manage IAM access keys?
AWS OFFICIALUpdated 2 months ago
Why does my IAM credential report show that my AWS Config managed rules aren't compliant?
AWS OFFICIALUpdated 2 years ago