What Are Eight Ways of Rotating AWS IAM Keys?

Problem scenario
You want to rotate AWS IAM keys across a unique set of different AWS accounts. Regular rotation is a recommended practice for securing your AWS resources (per this Amazon posting). Just as passwords can be brute-forced and defeated through exhaustive attempts, access keys could be randomly generated and attempted via a malicious person or program; rotating the access keys can make hacking your AWS resources tremendously more difficult.

You want to evaluate many different options for changing the AWS access keys. What can you do to rotate AWS IAM/access keys?

Eight Possible Solutions (There is arguably overlap between some of the options depending on how you implement them. There could be nine methods here. It is difficult to discretely enumerate the number of combinations.)

  1. Manually rotate them with the AWS Console.
  2. Using AWS Lambda
  3. Using Boto3
  4. Using CloudFormation https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-create-generic-template.html
    (This also uses Lambda)
  5. Using Terraform
  6. Using AWS Config Managed Rule
    https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
  7. Use this third party tool: https://aws-rotate-iam-keys.com
  8. Use Serverless.com
  9. Use AWS Trusted Advisor. (It provides recommendations and action links to rotate IAM access keys.)*
  10. Use the AWS CLI and possibly a crontab job.

See also this Amazon posting and this other one that delves into automation. This medium.com article may be useful for you too. AWS Config can help you comply with your InfoSec team's rules on rotating passwords (as this posting states).

* To learn more about Trusted Advisor, see this external posting.


IAM keys are AWS access keys. We know this because "[a]ccess keys are long-term credentials for an IAM user or the AWS account root user." (The quote was taken from this Amazon page.)

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

To learn about the difference between an IAM role and an IAM access key, see this posting.

Leave a comment

Your email address will not be published. Required fields are marked *