Skip to content

Enhancing Security in AWS: Rotate Access Keys Regularly

Enhancing Security in AWS: Rotate Access Keys Regularly

What are access keys?

Access keys are the credentials that AWS uses to identify and authenticate the user or programmatic access to AWS services. Access keys consist of an access key ID and a secret access key. The access key ID is a publicly available identifier that associates the key with the AWS account, while the secret access key is a private key that is used to sign requests to AWS.

Why do access keys need to be rotated frequently?

Rotating access keys is a security best practice that offers several benefits which include:

  • Minimizing the risk of compromised keys: by regularly changing access keys, the window of opportunity for attackers to exploit compromised keys is reduced.

  • Addressing compliance requirements: many compliance standards mandate regular key rotation to enhance security.

  • Identifying security breaches: access key rotation forces organizations to audit access and permissions, helping to identify potential security breaches.

Risks associated if access keys are not rotated regularly:

If access keys are not rotated periodically, it can cause:

  • Increased vulnerability to unauthorized access: if access keys remain unchanged for extended periods, the risk of unauthorized access to AWS resources increases.

  • Longer exposure to compromised keys: in case an access key gets compromised, failing to rotate the key allows attackers more time to exploit it.

  • Non-compliance with security standards: neglecting access key rotation can result in non-compliance with security regulations and standards.

How to rotate access keys:

Rotating access keys regularly for users that require long-term credentials is a best practice for managing long-term credentials in AWS. Here are the steps to rotate access keys:

To determine when access keys need rotating (console):

1. Sign into the AWS Management Console and open the AWS IAM console.
2. In the navigation pane, choose Users.
3. If necessary, add the Access key age column to the users table by completing the following steps:
      a. Above the table on the far right, choose the settings icon.
      b. In Manage columns, select Access key age.
      c. Choose Close to return to the list of users.
4. The access key age column shows the number of days since the oldest active access key was created. You can use this information to find users with access keys that need rotating. The column displays None for users with no access key.

To rotate access keys for an IAM user without interrupting your applications (console):

While the first access key is still active, create a second access key.

1. Sign into the AWS Management Console and open the AWS IAM console.
2. In the navigation pane, choose Users.
3. Choose the name of the intended user, and then choose the Security credentials tab.
4. In the access keys section, choose Create access key. On the access key best practices & alternatives page, choose Other, then choose Next
5. (Optional) Set a description tag value for the access key to add a tag key-value pair to this IAM user. This can help you identify and rotate access keys later. The tag key is set to the access key id. The tag value is set to the access key description that you specify. When you are finished, choose Create access key.
6. On the Retrieve access keys page, choose either Show to reveal the value of your user's secret access key, or Download .csv file. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, choose Done. When you create an access key for your user, that key pair is active by default, and your user can use the pair right away. At this point, the user has two active access keys.
7. Update all applications and tools to use the new access key.
8. Determine whether the first access key is still in use by reviewing the Last used information for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.
9. Even if the Last used information indicates that the old key has never been used, we recommend that you do not immediately delete the first access key. Instead, choose Actions and then choose Deactivate to deactivate the first access key.
10. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can reactivate the first access key. Then return to Step 3 and update this application to use the new key.
11. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:
      a. Sign into the AWS Management Console and open the IAM console
          at
https://console.aws.amazon.com/iam/.
      b. In the navigation pane, choose Users.
      c. Choose the name of the intended user, and then choose the
         Security credentials tab.
      d. In the Access keys section for the access key you want to delete,
         choose Actions, and then choose Delete. Follow the instructions in  
         the dialog to first Deactivate and then confirm the deletion.

Note: In addition to rotating access keys, you can also consider using AWS Security Token Service (STS) to generate temporary credentials for use cases that require long-term credentials. STS allows you to create short-lived credentials that expire after a specified period, reducing the risk of compromise.

Our AWS team is currently researching and exploring the possibility of automating the access key rotation process using Lambda functions. This initiative aims to streamline and simplify the rotation process. It will make your life easy and will further enhance security measures within your AWS environment. There will be another blog entry focused solely on this topic. Stay tuned!

Conclusion

Rotating access keys regularly is a crucial security measure for AWS environments. It helps mitigate risks associated with compromised keys, addresses compliance requirements, and facilitates the identification of potential security breaches. By following the recommended steps for access key rotation, organizations can enhance the security of their AWS resources and ensure ongoing protection against unauthorized access.

Learn more about how managed cloud detection and response (CDR) can protect your organization's cloud workloads and applications. Or, if your detection and response needs are more extensive, check out our comprehensive MXDR solution to see how Gradient Cyber MXDR can help protect all on-premises and cloud environments from cyber attacks.