Cloud Security

AWS Access Keys are Rotated Every 90 Days

Risk

Remediation Effort

Medium

Medium

This policy validates that AWS IAM account access keys are rotated every 90 days.

Regularly rotating access keys is considered security best practice as it reduces the amount of time a compromised key can be used to access an account.

Remediation

To remediate this, each unrotated access key must be deleted, then a new access key created. All programmatic calls making use of the old key should be updated with the new key.

In order to prevent a service outage, it is possible to first move all programmatic calls to a new key and then disable the non-compliant key. The following instructions will be using this method.

Using the AWS Console

1. Access the User tab of the IAM console at:

https://console.aws.amazon.com/iam/home#/users

2. Select the name of the non-compliant user.

3. Select the "Security Credentials" tab.

4. Under the "Access Keys" section, select the "Create access key" button.

5. Securely store the new Secret access key.

Note: this key contains sensitive information and should be treated as such.

6. Update all programatic calls using the old access key to use the new access key, and verify they are working.

7. Back at the "Security Credentials" tab, under the "Access Keys" section, select "Make inactive" under the "Status" column for the old key.

8. Verify that all programmatic access is still working as expected.

9. Back at the "Security Credentials" tab, under the "Access Keys" section, select the gray "x" under the "Status" column for the old key. Select "Delete" in the pop up window.

Using the AWS CLI Tool

1. First create a new access key with the following command:

aws iam create-access-key --user-name <user_name>

2. Store the secret key generated by the previous command, which was output as "SecretAccessKey".

Note: this key contains sensitive information and should be treated as such.

3. Update all programatic calls using the old access key to use the new access key, and verify they are working.

4. Disable the old access key with the following command:

aws iam update-access-key --user-name <user_name> --access-key-id <access_key_id> --status Inactive

5. Verify that all programmatic access is still working as expected.

6. Delete the old access key with the following command:

aws iam delete-access-key --user-name <user_name> --access-key-id <access_key_id>

References