~ 3 min read

How to rotate the Access key of a user in AWS

Access keys are long-term credentials for an AWS user. One of the best ways to protect your account is to ensure access keys are rotated periodically. This article provides a walkthrough of how to rotate Access keys for an IAM user in AWS.

Introduction

IAM Access key rotation is a healthy security practice as it ensures that any keys that may have been leaked either due to a reuse, or breach, or inadvertently by the user, become irrelevant. The AWS CIS Foundations Benchmark also flags a user whose key has not been rotated in the last 90 days as non-compliant. It is recommended to ensure safe usage of Access keys and to follow security hygiene like not hardcoding the key in code, not sharing the key over email, etc.

In this article, we will go through the steps required to rotate an Access key for a user in AWS.

Note: Before rotating an Access key make sure you know and have access to all the places where the Access key is being used currently so that you can ensure that no applications or access is broken due to key rotation.

Rotate the Access key for an IAM user

Following are the steps to rotate the Access key for an IAM user in AWS:

  1. Login to AWS Management Console and navigate to IAM service

    IAM Service

  2. Under Access management on IAM dashboard, go to Users

    IAM Users

  3. Select the user from the list for whom you want to rotate the Access key

    Select IAM User

  4. On Summary page, click on Security credentials tab

    Security Credentials

  5. Under Access keys section, we can see the access keys and their status for the user

    Access Keys Section

  6. Click on Create access key to create a new access key for the user

    Create Access Key

  7. Select the appropriate option under Access key best practices and alternatives and click on Next button

    Select Access Key Option

  8. Set a description tag for the new access key and click on Create access key button

    Access Key Description

  9. Note down the Access key ID and Secret access key or Download csv file and keep it in a secure place. Click on Done button

    Access Key Created

  10. Update the new Access key in place of the older one wherever the old Access key is being used. Make sure the new Access key is working in all those places

  11. Now deactivate the old Access key. Click on Actions dropdown button and select Deactivate

    Deactivate Old Key

  12. Click on Deactivate button

    Confirm Deactivation

  13. Once the old key has been deactivated, make sure that all your access is working as expected after adding the new key in its place and that you have not missed out any place to update the new key

  14. If all the access is working as expected with the new key, we can now delete the old Access key. Click on Actions dropdown button for the old Access key and select Delete

    Delete Old Key

  15. Provide the Access key ID of the old key and click on Delete button

    Confirm Key Deletion

  16. The old Access key is now deleted and we can only see the newly created access key

    Access Key Rotated

;