<  Back to rules search

Access keys are rotated every 90 days or less



Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.


Rotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.


See the CIS AWS Foundations Benchmark controls docs for console remediation steps.



Default value



  1. CCE-78902-4
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html
  4. https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
  5. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

CIS controls

16 Account Monitoring and Control