Access keys provide programmatic access to AWS resources, and how you manage them can determine your level of cloud...
AWS access keys include an ID and a secret access key. Each AWS Identity and Access Management (IAM) user can have two active access keys to enable key rotation. To minimize the potential damage of a compromised key, organizations should perform automatic and periodic key rotation. And, fortunately, it's possible to perform this process without disrupting your environment.
If your application is hosted on Amazon EC2, ensure security automatically with IAM roles, rather than hard-code access keys on the instance itself. IAM roles provide temporary permissions that allow the application to access any service. Applications that run on a particular EC2 instance use the role associated with that instance to supply the temporary credentials necessary to sign API requests.
To assign an IAM role and its permissions to an EC2 instance, create an instance profile that contains the role, and provide the temporary credentials of that role to the application. EC2 stores the temporary credentials in the instance metadata. You can view credentials, expiry time and other related data in the metadata's iam/security-credentials/role-name category. These temporary credentials are always available, and AWS automatically rotates them multiple times each day. If you use the AWS software development kit (SDK) for application development, you must make small changes to your code to use this functionality.
Enable rotation for AWS access keys
If the application is not hosted on an EC2 instance, it requires AWS access keys. Likewise, some third-party applications hosted on an EC2 instance require keys because they do not support IAM roles. In both cases, the application owner should define a policy for AWS access key rotation, which can then be implemented via Command Line Interface (AWS CLI), AWS Management Console or the AWS SDK.
To rotate AWS access keys, follow these five steps:
- Create an additional access key, while the first one is still active. AWS allows a maximum of two simultaneous access keys per user. Create a new access key with the following CLI command: aws iam create-access-key. Store the new access key right away so that you can retrieve it if you need to.
- Distribute the AWS access key across all application instances. Verify that the application works properly with the new key. Check the last-used access key with the following command: aws iam get-access-key-last-used.
- Deactivate the old key. Deactivate, but do not delete, the old key with this command: aws iam update-access-key. To verify that the old key is inactive, use this command to list the keys: aws iam list-access-keys.
- Verify the application works with the new key. If it doesn't work, you can reactivate the older key with this command: aws iam update-access-key.
- Delete the old access key. Once deleted, access keys are no longer available. To delete the old access key, use the following command: aws iam delete-access-key.
You can automate these five steps with a script, but because you need to verify that the application works properly with the newly generated access key, step four will differ for each application.