You’re required to use multiple security credentials to access different areas of your AWS storage. Apart from a username and password for the AWS Management Console, you also need access keys to use the AWS Command Line Interface (CLI), AWS Tools for PowerShell, or APIs.
AWS S3 access keys of each IAM user will consist of 2 elements: a key ID and a secret access key. And it’s highly recommended to expire the access key of an IAM user for better security.
Rotating access keys allows you to shorten the time that an IAM user views or makes adjustments to your AWS resources. This will help protect the storage against unauthorized access from shared or stolen keys.
Unfortunately, AWS doesn’t provide a solution to force rotating access keys. That’s why in this article, we’ll walk you through a complete guide on how to rotate access keys for IAM users.
2 Different Cases of Access Key Rotation
AWS IAM user access keys will expire after every 90 days by default. If you use EC2 to run your apps, there is no more worry about access key rotation. The security credentials will be inactivated or renewed automatically after a given time.
However, if you’re running the apps somewhere else, the rotation process won’t follow this automatic rule. You need to add the access key rotation to your application management process.
Setting up a complete process frees you from manually rotating access keys frequently which might scare you every time working on it.
Below is how you can rotate IAM user access keys in Management Console, AWS CLI, and AWS API.
How to Rotate IAM User Access Keys from CLI
There are 5 main steps you must take to successfully deactivate the user access key. To clarify the process, we also provide you with an example key of a user named Suzie and show you what to do with the example in each step.
Before going into details, remember to install the CLI then run the following command to see Suzie’s access keys:
aws iam list-access-keys --user-name Suzie
You will see this command after running the CLI for Suzie’s access keys:
{
"AccessKeyMetadata": [
{
"UserName": "Suzie",
"Status": "Active",
"CreateDate": "2021-08-20T18:49:57Z",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE"
}
]
}
Step 1: Generate a new access key
Now you have another access key that is the same as the one above. As a result, the command will also return similar.
Access key:
aws iam create-access-key --user-name Suzie
Its command
{
"AccessKey": {
"UserName": "Suzie",
"Status": "Active",
"CreateDate": "2021-08-30T17:09:10.384Z",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
"AccessKeyId": “AKIAIOSFODNN7EXAMPLE"
}
}
Then, you can show both keys by listing them using the list-access-keys command:
aws iam list-access-keys --user-name Suzie
{
"AccessKeyMetadata": [
{
"UserName": "Suzie",
"Status": "Active",
"CreateDate": "2021-08-20T18:49:57Z",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE"
},
{
"UserName": "Suzie",
"Status": "Active",
"CreateDate": "2021-08-30T17:09:10.384Z",
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE"
}
]
}
Step 2: Share your access key with all your applications
It’s time to update all your applications using the old access key with the new one. This important step makes sure all app functions work correctly.
Step 3: Deactivate the previous access key
Since you’re using the new access key, we recommend changing the status of the old ones to have them inactivated. To achieve that, make use of the following command:
aws iam update-access-key --access-key-id AKIAI44QH8DHBEXAMPLE --status Inactive --user-name Suzie
It will then show you the command below:
{
"AccessKeyMetadata": [
{
"UserName": "Suzie",
"Status": "Inactive",
"CreateDate": "2013-04-03T18:49:57Z",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE"
},
{
"UserName": "Suzie",
"Status": "Active",
"CreateDate": "2013-09-06T17:09:10.384Z",
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE"
}
]
}
Step 4: Make sure your apps work properly with the new access keys
To ensure that your apps still operate well with the new access keys, you must deactivate the old ones. This gives you a chance to fix problems quickly if there is anything wrong.
In case the new access keys don’t work, simply re-enable the previous access key using the aws iam update-access-key command.
Step 5: Remove the inactive access key
You’ve come to the last step of deleting the inactive access key. You can use this command:
aws iam delete-access-key --access-key-id AKIAI44QH8DHBEXAMPLE --user-name Suzie
You should bear in mind that once you delete access keys, they will be removed permanently. Either you or users won’t be able to use it to send requests to your data or re-activate the key.
How to Rotate Access Keys from AWS API
Similar to the guide on rotating IAM user access keys from Management Console, you firstly need to
- Create a second access key using the command:
CreateAccessKey - Use the new access key for all applications
- Check to see if the first access key is still in use
GetAccessKeyLastUsed
- Deactivate the status of the first access key
UpdateAccessKey
- Make sure your apps work correctly with the new access key
- Delete the first access key with this operation
DeleteAccessKey
Rotate Access Keys for IAM Users Now
Access keys enable users to use AWS Command Line Interface (CLI), AWS Tools for PowerShell, and APIs. You should have access keys of IAM users expired after a certain time to better secure your storage.
You’re required to go through 5 steps to successfully rotate an access key, from creating a new access key to using it to deactivate and delete the current one. We’ve also guided you on how to achieve that in the AWS API.
If you still have any questions about how to rotate access keys, just leave your thought in the comment to let us know.
