Access keys should be rotated every 90 days or less

Description

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.

Rationale

Rotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.

Remediation

From the console

  1. Sign in to the AWS Management Console.
  2. Click Users.
  3. Click Security Credentials.
  4. Do the following:
  • Administrator: Click Make Inactive for keys that have not been rotated for more than 90 days.
  • IAM User: Click Make Inactive or Delete for keys that have not been rotated or used for more than 90 days.
  1. Click Create Access Key.
  2. Update programmatic calls with the new Access Key credentials.

From the command line

  1. While the first access key is still active, create a second access key, which is active by default. Run the following command:
    aws iam create-access-key
    

At this point, the user has two active access keys.

  1. Update all applications and tools to use the new access key.

  2. Run the following command to determine whether the first access key is still in use:

    aws iam get-access-key-last-used
    
  3. One approach is to wait several days and then check the old access key for any use before proceeding.

Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:

aws iam update-access-key
  1. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to re-enable the first access key. Then return to step Step 2 and update this application to use the new key.
  2. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:
    aws iam delete-access-key
    

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html
  3. https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html