Skip to main content

lacework-global-142

Ensure access keys are rotated every 350 days or less

Description

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

Remediation

Perform the following to rotate access keys:

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Click IAM.

  4. Click on Users.

  5. Select a user.

  6. Click on Security Credentials.

  7. As an Administrator, click Make Inactive for keys that have not been rotated in 350 days.

  8. As an IAM User, click Make Inactive or Delete for keys that have not been rotated or used in 350 days.

  9. Click on Create Access Key.

  10. Update programmatic call with new Access Key credentials.

Using the AWS CLI:

  1. Create a second access key:

    aws iam create-access-key

  2. Update all applications and tools to use the new access key.

  3. Check if the first access key is still in use:

    aws iam get-access-key-last-used

  4. If the first access key is no longer in use, change the state of the first access key to Inactive:

    aws iam update-access-key

  5. Use the new access key to confirm that applications are working

  6. After waiting to ensure that all applications and tools have been updated, delete the first access key:

    aws iam delete-access-key