Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that all your IAM user access keys are rotated every month in order to decrease the likelihood of accidental exposures and protect your AWS resources against unauthorized access.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Rotating Identity and Access Management (IAM) credentials periodically will significantly reduce the chances that a compromised set of access keys can be used without your knowledge to access certain components within your AWS account.
To determine if your AWS IAM users have any outdated (> 30 days) access keys currently in use, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel, choose Users.
04 Click on the IAM user name that you want to examine.
05 On the IAM user configuration page, select Security Credentials tab.
06 Under Access Keys section, in the Created column:
check for any keys older than 30 days with the status set to Active:
If an active access key is older than 30 days, the key is outdated and needs to be changed in order to secure the access to your AWS resources.
07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available in your AWS account.
To rotate (change) your outdated IAM access keys, you need to perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel, choose Users.
04 Click on the IAM user name that you want to examine.
05 On the IAM user configuration page, select Security Credentials tab.
06 Click Create Access Key to create a new set of access keys that will replace the old ones.
07 In the Create Access Key dialog box, click Download Credentials to save the newly created access key ID and secret access key to a CSV file on your machine. (!) IMPORTANT: AWS IAM will not provide access to the new secret access key again once the Create Access Key dialog box closes so make sure you save your credentials in a safe location on your machine.
08 Click Close to close the dialog box and return to the configuration page. The IAM user should have now two active access keys.
09 Now update your application(s) code and replace the existing access key ID and secret access key with the new ones. Test your application(s) to make sure that the new access key pair is working.
10 Once the new key is validated, return to the IAM user configuration page, select the outdated (previous) key and click Make Inactive:
to change the state of the access key to inactive.
11 In the Change Key Status confirmation box, click Deactivate to deactivate the selected key. The access key status should change from Active to Inactive. (!) IMPORTANT: Cloud Conformity strongly recommends waiting few days before going forward with the next step in order to ensure that the original (outdated) key is no longer used by your application(s).
12 Once you are sure that the application(s) is/are no longer using the original key, return to the IAM user configuration page and remove the key by clicking the Delete link:
available in the Actions column.
13 In the Delete Access Key confirmation box, click Delete to remove the selected key.
14 Repeat steps no. 4 – 13 for each outdated (older than 30 days) IAM access key, available in your AWS account.
Unlock the Remediation Steps
Gain free unlimited access to our full Knowledge Base
Over 600 rules & best practices for 
and 
Get started for FREE
Thank you!
Please click the link in the confirmation email sent to
You are auditing:
Access Keys Rotated 30 Days
Risk level: Low
|