How to Rotate AWS IAM Access Keys Securely

Ensure security by rotating access keys for AWS IAM users. Follow our instructions on how to manually rotate keys and protect against compromised credentials.

Patrick Londa
Author
Nov 8, 2022
 • 
5
 min read
Share this post

It’s a security best practice to regularly rotate your AWS access keys. If overtime, an access key becomes compromised, rotating in a new access key will mitigate the risk by making that information no longer relevant.

It’s worth noting that if you are running applications on EC2, instead of access keys, you can use IAM roles which use temporary credentials that automatically expire and renew. For non-EC2 use cases, rotating access keys is still a necessary practice.

In this guide, we’ll walk you through the permissions you need to rotate IAM access keys and the steps for rotating keys using the AWS Console and AWS CLI.

Blink Automation: Rotate Access Keys for AWS IAM Users and Send Confirmation
AWS + Slack
Try This Automation

What AWS permissions do you need?

If you have an AWS root user account, there are no restrictions whatsoever for managing IAM resources. If you are not using the root user to make changes, you’ll need to have permissions from the following policy:

{
    "Version": "2019-10-17",
    "Statement": [
        {
            "Sid": "ManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

To allow users to perform specified actions with the AWS console or CLI, you need to include permissions for the actions that the console or CLI performs. For example, if you deny an IAM user to perform iam:ListUsers action, the IAM user won’t be able to list users on the console or CLI.

Even if the user has permission to access actions such as CreateAccessKey and UpdateAccessKey, the console or CLI will be denied access.

Rotating Access Keys for IAM Users

Using the AWS Console:

To rotate access keys with the AWS console, follow the steps below:

1. Create a second access key while the first key is active by doing the following:

  • Sign in and open to the IAM console.
  • Choose Users from the navigation panel.
  • Select the intended IAM user name and choose the Security credentials tab.
  • Select Create access key and then Download .csv file. Save it on your computer.
  • Choose Close. After the Close action, you won’t have access to the access key ID and secret access key (.csv file).
  • The new access key will be active by default, and the IAM user will have two access keys.

2. To use the new access keys, you need to update the access keys on all your applications.

3. Review the Last Used column to check whether the first access key is still in use.

4. Choose Make inactive to deactivate the old access key rather than deleting it — even if it is not in use.

5. Use the new access key to confirm if all your applications are using it. At that point, if your applications and tools are still using the old access key, they will stop working.

If any application still uses the old access key, you can select Make active to enable it again. Return to Step 3 and update the application to use the new access key.

6. Wait for some time to ensure that all applications and tools are no longer working with the old access key, and proceed to delete the old key.

Return to Step 1, but this time, after selecting the Security credentials tab, search for the old access key to delete. Press the X button for the old key, and after confirming the access key ID, hit Delete.

Using the AWS CLI:

Rotating AWS access keys with the AWS CLI will help you change the keys without interrupting your applications. Follow the steps below to rotate access keys for a specific user (we’ll call him Doug).

1. First, run the following command to see what the current access keys are for Doug.

aws iam list-access-keys --user-name Doug

You’ll see an output like this:

{
    "AccessKeyMetadata": [
        {
            "UserName": "Doug",
            "Status": "Active",
            "CreateDate": "2020-04-03T18:49:57Z",
            "AccessKeyId": "NEATI24UH8ZHBEOLDKEY"
        }
    ]
}

2. Now, while the first key is still active, you can run the following command to create a second access key:

aws iam create-access-key --user-name Doug

You'll see this output:

{
    "AccessKey": {
        "UserName": "Doug",
        "Status": "Active",
        "CreateDate": "2022-10-06T17:09:10.384Z",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
        "AccessKeyId": "BPEVIESFOFNY7CNEWKEY"
    }
}

Securely save the “SecretAccessKey” information, since it will not be available to be queried after this creation step. If you want to verify that you have successfully created the new access key, you can rerun the list command in step 1.

3. Next, update your applications and tools to use the new access key instead of the old one. Validate that your applications are functioning correctly with the new key.

4. After updating keys, you can use the following command to check if the first access key is still in use anywhere:

aws iam get-access-key-last-used --access-key-id NEATI24UH8ZHBEOLDKEY 
--user-name Doug

5. We recommend waiting a few days to delete the old access key, as you may have some IAM users or applications still using the old access key and deleting access keys is irreversible.

In case you delete the key, you won’t be able to access any application or resources that are still using the old key. Therefore, it’s better to deactivate the first access key by using the following command:

aws iam update-access-key --access-key-id NEATI24UH8ZHBEOLDKEY 
--status Inactive --user-name Doug

6. Use the new access key to confirm if the applications are updated. If some applications still use the old key, you can activate the old access key using the same aws iam update-access-key command, then update those applications to use the new access key.

7. Once you’ve confirmed that all applications are using the new access key, you can delete the old key using the following command:

aws iam delete-access-key --access-key-id NEATI24UH8ZHBEOLDKEY
--user-name Doug

Now you have successfully rotated access keys for a user and improved your AWS account security.

Rotate Access Keys Automatically with Blink Automations

If you want to periodically rotate access keys, doing it manually means remembering to do it and then taking the time to work through these steps each time. You could try to automate each piece with scripts, but they are time-intensive and hard to maintain.

With Blink, you can run this automation to ensure that access keys have been rotated within the last 90 days.

Blink Automation: Ensure IAM Users Access Keys are Rotated Every 90 Days or Less in AWS
Blink Automation: Ensure IAM Users Access Keys are Rotated Every 90 Days or Less in AWS

When you run this automation, it executes the following steps:

  1. Checks whether any IAM access keys have not been rotated within the last 90 days.
  2. Sends a report to a designated email address.

This is a simple automation, and it’s easy to customize to fit your ideal workflow. You can add an approval step to take action like rotating keys or sending notifications via Slack or Teams.

You can use any of the 5K automations in the Blink library, or build any automations from scratch using hundreds of configurable drag-and-drop actions.

Get started with Blink and see how easy automation can be.