0

I am looking for ways to automate the rotation of access keys (AWS credentials) for a set of users. There is a seperate process that creates the Access Keys. I need to be able to rotate the keys in an automated way. This link explains a way to do this for a specific user. How would I be able to achieve this for a list of users. Any thoughts or recommendations?

fledgling
  • 991
  • 4
  • 25
  • 48
  • 1
    Modify the code to run in a loop over a list of your users. You want to do it periodically through CloudWatch rules, or initiate rotation manually? – Marcin Sep 15 '20 at 23:27
  • I want this process to run when the Access Key Age exceeds 90 days – fledgling Sep 15 '20 at 23:29
  • Why not expire them each 90 days automatically, and then they can generate new ones themselves via the management console? – Rodrigo Murillo Sep 16 '20 at 00:39
  • How can they expire automatically? Is there a setting that does that? Also re creating new keys need to be automated as well – fledgling Sep 16 '20 at 02:53
  • 1
    Before looking at the code, I would ask: "How will you distribute the new keys? How will you know when to disable the old key? How are the keys currently being used (are they for apps, or are they being used by people)? How will the keys be updated on those systems?" The answers will likely influence how you implement the rotation. – John Rotenstein Sep 16 '20 at 03:15

2 Answers2

2

You can use AWS Config to mark the old access keys non-compliant (https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html) and then use CloudWatch Events (my article how to do this) to run a Lambda function that deletes the old key, creates a new one, then send it to the user.

Tamás Sallai
  • 3,195
  • 1
  • 14
  • 25
0

Access keys are generally used for programmatic access by applications. If these applications are running in, says EC2, you should use roles for EC2. This will install temporary credentials on the instance that are automatically rotated for you. The AWS CLI and SDKs know how to automatically retrieve these credentials so you don't need to add them in the application either.

Other compute solutions (Lambda, ECS/EKS) also have ways to provision roles for applications.

JoeB
  • 1,503
  • 7
  • 9