Rotating Access Keys
Rotating IAM User Access Keys (Console)
Access keys can be rotated from the AWS Management Console.
To rotate access keys for an IAM user without interrupting your applications (console)
- You can create a second access key even if the first one is still active, which will lead to the user having two active access keys.
- Now you will have to update all the applications and tools in order to use the new access key.
- You can also check if the first access key is still in use with the help of Last used column for the oldest key.
- You can choose Make inactive to deactivate the first access key instead of completely deleting it because it has never been in use recently.
- If you want to confirm that your applications are working, then use only new access key, but, you can also choose Make active to reenable the first one and then return to the step 3 above and update the application to use the new key.
- You can definitely delete the first access key after waiting for sufficient time period to make sure that all the applications and tools have been updated.
To determine when access keys need rotating (console)
- Sign-in to the AWS Management Console and open the IAM console at https:// console.aws.amazon.com/iam.
- Select Users in the navigation pane.
- Add the Access key age column to users table if required.
- As the Access key age column shows the number of days since the oldest active key was created, this information can help in locating the users with access keys that need rotating. For users with no access keys, None will be displayed on the column.
Rotating Access Keys (AWS CLI)
The AWS Command Line Interface can help in rotating access keys.
To rotate access keys without interrupting your applications (AWS CLI)
- Even if the first access key is still active, you can create a second one (active by default) by running this command- aws iam create-access-key.
- Now update all applications and tools to use the new access key.
- You can find out if the first access key is still in use via this command- aws iam get-access-key-last-used.
- It's recommended to not delete the first access key, instead make it inactive with the help of this command- aws iam update-access-key.
- In order to confirm that your applications are working, use the new access key only. However, you can still activate the first one and then return to step 2 and update this application to use the new key.
- After successfully waiting for some period of time to update all the applications and tools, the first access key can deleted with this command- aws iam delete-access-key.
Rotating Access Keys (AWS API)
The AWS API can help in rotating access keys.
To rotate access keys without interrupting your applications (AWS API)
- Even if the first access key is still active, you can create a second one (active by default) by calling this operation- CreateAccessKey.
- Now update all applications and tools to use the new access key.
- You can find out if the first access key is still in use via this operation- GetAccessKeyLastUsed.
- It's recommended to not delete the first access key, instead make it inactive with the help of this operation- UpdateAccessKey.
- In order to confirm that your applications are working, use the new access key only. However, you can still activate the first one and then return to step 2 and update this application to use the new key.
- After successfully waiting for some period of time to update all the applications and tools, the first access key can deleted with this operation- DeleteAccessKey.
Comments
Post a Comment