Rotate Your AWS Keys in 2 Minutes

This article demonstrates how you can quickly rotate your AWS keys in 2 minutes. Anything longer and I'm certain that nobody will do it. This is important as you should be in the habit of rotating these credentials often. Personally, I set reminders to change my keys every 30 days.

Caveats

  • You must have only one set of access keys created.
  • Your IAM policy must allow you to manage your own keys.
  • You must know where you store your AWS credentials (everyone is a bit different here).

Key Rotation Process

The process is thus:

  1. Create a new Access Key
  2. Copy the new credentials to where you store them
  3. List all of your keys
  4. Find the oldest key in the list
  5. Delete the oldest key

CLI Commands

Here are the commands to do this.

$ aws iam create-access-key
... json returned ...
$ # copy the AWS credentials to where they are loaded/used
$ aws iam list-access-keys
... find the access key that is the oldest ...
... remember the access key id ...
$ aws iam delete-access-key --access-key-id $id

Keep repeating this procedure until you are under the 2 minute mark. If you can script it, even better. The actual commands are shown here for illustrative purposes, and to familiarize readers with how simple the key rotation process is.

While we're talking about security, you put an MFA on your AWS login credentials, right? Right? Good, techie! 😉

Tags: aws, security