It's important to regularly rotate your AWS access keys to reduce the risk of compromised keys being used to access your account. AWS recommends rotating keys at least every 90 days. While it takes a bit of effort, rotating keys is a critical security practice to protect your AWS environment.
Where did this come from?
This recommendation comes from the CIS Amazon Web Services Foundations Benchmark v3.0.0 - 01-31-2024. You can download the full benchmark from the CIS website. The benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture-agnostic settings.
For more information on AWS access keys and key rotation, see the AWS IAM documentation.
Who should care?
- AWS administrators responsible for securing IAM users and access keys
- Security teams who need to ensure AWS accounts follow security best practices
- Compliance teams who must verify that AWS configurations meet regulatory standards
What is the risk?
The main risk of not rotating access keys is that a compromised key could be used to access AWS resources without your knowledge. This could allow an attacker to spin up expensive resources, exfiltrate sensitive data, or perform other malicious actions.
While enabling MFA and following other security best practices helps mitigate this risk, key rotation provides an additional layer of protection by limiting the usable lifespan of a key. Even if a key is compromised, it will only be valid for a maximum of 90 days.
What's the care factor?
For most organizations, rotating access keys should be considered a high priority security task. The impact of a compromised key can be severe, while the effort to rotate keys is relatively low.
Key rotation becomes especially important for:
- High privilege users like administrators
- Production environments and sensitive workloads
- Organizations subject to strict regulatory requirements
That said, very small or low-risk environments may be able to justify a slower rotation cadence based on their risk tolerance.
When is it relevant?
This recommendation is relevant for any AWS account that uses IAM users with access keys, which is the majority of accounts. You should implement a key rotation policy from day one.
However, access keys are not the only way to authenticate to AWS. If you disable access keys and require users to authenticate using SSO, password authentication, or other methods, then this recommendation does not apply.
What are the trade offs?
Rotating keys does require some effort and can introduce a small amount of friction for users:
- Administrators have to make updating keys a regular business process
- Users need to update keys in their applications and tools when they rotate them
- Short-lived keys can be annoying for infrequent CLI/API users
However, this friction is generally considered an acceptable trade off, given the importance of key rotation from a security perspective. The enhancements to security are well worth the small effort involved.
How to make it happen?
To rotate access keys for an IAM user:
- Create a new access key. This can be done in the IAM console under the "Security credentials" tab when viewing a user. Click "Create access key". Download the key file. The user will now have two active access keys.
- Update any applications, scripts, or tools that use the old access key to use the new key instead. This includes updating environment variables, config files, ~/.aws/credentials, etc.
- Check if the old access key is still being used by viewing the "Last used" column in the IAM console. You can also use the
get-access-key-last-used
CLI command. Wait a few days to ensure the old key is no longer being used. - Change the old access key status to "Inactive" in the IAM console or by using the
update-access-key
CLI command. This disables the old key while still allowing you to track its past usage. - After waiting an additional period of time, typically 90 days, delete the old access key completely using the console or
delete-access-key
CLI command.
Here is an example of rotating keys using the AWS CLI:
# Create a new key
# Get the access key ID of the old key you want to disable
# Make the old key inactive
?
# Later, delete the old inactive key
For an organization with many users, you will likely want to implement an automated tool to detect and notify users about keys that need to be rotated to enforce your rotation policy.
What are some gotchas?
Here are a few things to watch out for when rotating keys:
- Required IAM permissions - To rotate their own access key, a user needs the
iam:CreateAccessKey
, iam:DeleteAccessKey
, iam:ListAccessKeys
, iam:GetAccessKeyLastUsed
, and iam:UpdateAccessKey
permissions for the resource arn:aws:iam::*:user/${aws:username}
. - Using roles instead of users - If an application uses an IAM role for authorization instead of access keys, the role's temporary credentials will automatically rotate every few hours to days based on the maximum session duration configured for the role.
- Updating key references - Be sure to comprehensively update all references to the old access keys, including environment variables, config files, application source code, etc. Missing one can cause hard to troubleshoot access denied errors. Consider using AWS Secrets Manager to centrally manage access keys.
What are the alternatives?
Access key rotation is a best practice, but you can also consider these alternatives to reduce the usage of long-lived access keys:
- Use temporary security credentials from AWS STS instead of access keys. These automatically expire after a set time period.
- Use an identity provider and SSO to federate access to the AWS Management Console instead of creating IAM users.
- Use tools like aws-vault to manage credentials and generate temporary tokens on-demand.
While these options have their merits, they don't eliminate the need to rotate access keys for IAM users, so it's still important to have a key rotation plan in place.
Explore Further
The CIS recommendation for access key rotation relates to several CIS controls:
- 5 Account Management - Assign and manage user authorization to enterprise assets and software.
- 16 Account Monitoring and Control - Actively manage account lifecycle and monitor for anomalies or suspicious behavior.
Diligently rotating access keys is just one comprehensive cloud security strategy component. To further strengthen your security posture, be sure to review and implement the other recommendations in the CIS benchmark.
?