Open menu
-->

AWS IAM Access Keys Rotation (90 Days)

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that all your IAM user access keys are rotated every month in order to decrease the likelihood of accidental exposures and protect your AWS resources against unauthorized access.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Rotating Identity and Access Management (IAM) credentials periodically will significantly reduce the chances that a compromised set of access keys can be used without your knowledge to access certain components within your AWS account.

Audit

To determine if your AWS IAM users have any outdated (> 90 days) access keys currently in use, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Under Access Keys section, in the Created column:

Access Keys section, in the Created column

check for any keys older than 90 days with the status set to Active:

check for any keys older than 90 days with the status set to Active

If an active access key is older than 90 days, the key is outdated and needs to be changed in order to secure the access to your AWS resources.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all IAM users available in your AWS account:

				aws iam list-users
				--query 'Users[*].UserName'
				

02 The command output should return an array that contains all your IAM user names:

				[
				"ec2-manager",
				"s3-manager",
				...
				"web-developer"
				]
				

03 Run list-access-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to determine each active access key lifetime:

				aws iam list-access-keys
				--user-name web-developer
				

04 The command output should expose the metadata for each access key created for the selected IAM user:

				{
				"AccessKeyMetadata": [
				{
				"UserName": "web-developer",
				"Status": "Inactive",
				"CreateDate": "2016-03-16T14:59:16Z",
				"AccessKeyId": "AAAABBBBCCCCDDDDEEEE"
				},
				{
				"UserName": "web-developer",
				"Status": "Active",
				"CreateDate": "2016-03-16T19:00:59Z",
				"AccessKeyId": "AAAABBBBCCCCDDDDEEEE"
				}
				]
				}
				

Check the CreateDate parameter value for each active key to determine the time of creation. If an active access key lifetime is greater than 90 days, the key is outdated and it must be changed (rotated) in order to secure the access to your AWS resources.

05 Repeat steps no. 3 and 4 for each IAM user that you want to examine, available in your AWS account.

Remediation / Resolution

To rotate (change) your outdated IAM access keys, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Click Create Access Key to create a new set of access keys that will replace the old ones.

07 In the Create Access Key dialog box, click Download Credentials to save the newly created access key ID and secret access key to a CSV file on your machine. (!) IMPORTANT: AWS IAM will not provide access to the new secret access key again once the Create Access Key dialog box closes so make sure you save your credentials in a safe location on your machine.

08 Click Close to close the dialog box and return to the configuration page. The IAM user should have now two active access keys.

09 Now update your application(s) code and replace the existing access key ID and secret access key with the new ones. Test your application(s) to make sure that the new access key pair is working.

10 Once the new key is validated, return to the IAM user configuration page, select the outdated (previous) key and click Make Inactive:

select the outdated (previous) key and click Make Inactive

to change the state of the access key to inactive.

11 In the Change Key Status confirmation box, click Deactivate to deactivate the selected key. The access key status should change from Active to Inactive. (!) IMPORTANT: Cloud Conformity strongly recommends waiting few days before going forward with the next step in order to ensure that the original (outdated) key is no longer used by your application(s).

12 Once you are sure that the application(s) is/are no longer using the original key, return to the IAM user configuration page and remove the key by clicking the Delete link:

remove the key by clicking the Delete link

available in the Actions column.

13 In the Delete Access Key confirmation box, click Delete to remove the selected key.

14 Repeat steps no. 4 – 13 for each outdated (older than 90 days) IAM access key, available in your AWS account.

Using AWS CLI

01 Run list-access-keys command (OSX/Linux/UNIX) using the IAM user name that has outdated access keys (see Audit section), to create a new AWS secret access key and corresponding access key ID for the selected user:

				aws iam create-access-key
				--user-name web-developer
				

02 The command output should return the new IAM access key information. Select and copy SecretAccessKey and AccessKeyId values representing secret access key and access key ID in a safe text file on your machine:

				{
				"AccessKey": {
				"UserName": "web-developer",
				"Status": "Active",
				"CreateDate": "2016-05-16T18:24:03.403Z",
				"SecretAccessKey": "RTF+IxK9GIgRv3TtjRf220vfReJ9Zjhkr5yqj/gV",
				"AccessKeyId": "AAAABBBBCCCCDDDDEEEE"
				}
				}
				

03 Update your application(s) code and replace the previous access key ID and secret access key with the new ones created at the previous step. Test your application(s) to make sure that the new access key is working.

04 Run update-access-key command (OSX/Linux/UNIX) using the IAM user name and its outdated access key ID as CLI command parameters to deactivate the key. The following example deactivates an access key with the ID AAAABBBBCCCCDDDDEEEE for an IAM user with the name web-developer (the command does not produce any output):

				aws iam update-access-key
				--access-key-id AAAABBBBCCCCDDDDEEEE
				--status Inactive
				--user-name web-developer
				

05 Run get-access-key-last-used command (OSX/Linux/UNIX) using the outdated key ID as parameter to determine when the specified access key was last used. (!) IMPORTANT: Cloud Conformity strongly recommends waiting few days before going forward with the next step to ensure that the original (outdated) key is no longer used by your application(s):

				aws iam get-access-key-last-used
				--access-key-id AAAABBBBCCCCDDDDEEEE
				

06 The command output should return the date and time of last use (highlighted), the AWS region and the service that used the key last time:

				{
				"UserName":  "web-developer",
				"AccessKeyLastUsed": {
				"Region": "us-east-1",
				"ServiceName": "iam",
				"LastUsedDate": "2016-05-16T20:41:00Z"
				}
				}
				

07 Run delete-access-key command (OSX/Linux/UNIX) to remove the outdated (deactivated) access key pair for the selected IAM user. The following command example removes an access key with the ID AAAABBBBCCCCDDDDEEEE for an IAM user with the name web-developer (if successful, the command does not return any output):

				aws iam delete-access-key
				--access-key AAAABBBBCCCCDDDDEEEE
				--user-name web-developer
				

08 Repeat steps no. 1 – 7 for each outdated (older than 90 days) IAM access key pairs, available in your AWS account.

References

Publication date 2017-09-00