How to rotate the Access key of a user using AWS CLI

Introduction

IAM Access key rotation is a healthy security practice as it ensures that any keys that may have been leaked either due to a reuse, or breach, or inadvertently by the user, become irrelevant. The AWS CIS Foundations Benchmark also flags a user whose key has not been rotated in the last 90 days as non-compliant. It is recommended to ensure safe usage of Access keys and to follow security hygiene like not hardcoding the key in code, not sharing the key over email, etc.

In this article, we will go through the steps required to rotate an Access key for a user using AWS CLI.

Note: Before rotating an Access key make sure you know and have access to all the places where the Access key is being used currently so that you can ensure that no applications or access is broken due to key rotation.

Rotate the Access key for an IAM user via AWS CLI

Following are the steps to rotate the Access key for an IAM user using AWS CLI:

1. To list the IAM users, run the following command

   aws iam list-users

   

2. For a selected user from the list, check their list of Access keys by running the following command. It provides a list of Access keys for a user along with key status. Note down the Access key ID of the key that you want to rotate

   aws iam list-access-keys --user-name <IAM_username>

   

3. Create a new Access key for the above IAM user by running the following command. Save the new Access key and Secret key securely

   aws iam create-access-key --user-name <IAM_username>

   

4. Update the new Access key in place of the older one wherever the old Access key is being used. Make sure the new Access key is working in all those places where it has been replaced

5. Now deactivate the old Access key by running the following command. Here provide the Access key ID of the old key that we noted down in step 2

   aws iam update-access-key --access-key-id <Old_Access_Key_ID> --status Inactive --user-name <IAM_username>

   

6. Once the old key has been deactivated, make sure that all your access is working as expected after adding the new key in its place and that you have not missed out any place to update the new key

7. If all the access is working as expected with the new key, we can now delete the old Access key. Run the following command to delete the old Access key

   aws iam delete-access-key --access-key-id <Old_Access_Key_ID> --user-name <IAM_username>

   

8. The old Access key is now deleted and we can confirm this by running the command in step 2 again

   aws iam list-access-keys --user-name <IAM_username>