I have an aws account with more than 1000 iam users. I need to rotate access / secret keys in an effective way.

0

I need to rotate keys every month. notification needs to be sent to users before rotating next key. like password expiry email which we receive usually also we need to store this keys aws account. so that specific user can login and can access only his keys

need suggestions on implementing this

demandé il y a 2 mois185 vues
3 réponses
2

Hi,

Why don't you use AWS KMS to do that: https://aws.amazon.com/kms/

  • it can manage automatic scheduled key rotation for you
  • given proper credendials given to your users, it's place for them to find their userid password when they forget it
  • A least privilege auth schema will allow you to make sure that only a given user will see its KMS-encrypted password. Not even you sysadmins needs to see it.
  • User can at any time decode the encrypted credentials to find the new value
  • you can set up some EventBridge event + automatic SNS notification email to tell them that password has been rotated

They can deccrypt their credentials directly from AWS console, or by using the CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html

Best

Didier

profile pictureAWS
EXPERT
répondu il y a 2 mois
profile picture
EXPERT
vérifié il y a 2 mois
profile pictureAWS
EXPERT
iBehr
vérifié il y a 2 mois
0

Hello,

You could use the AWS IAM Key Rotation repository [1] as a model. A set of CloudFormation templates will deploy a Python Lambda function that will automatically rotate your IAM Users' Access Keys every 90 days by default, which can be customized to 30 days as per your need. Amazon Simple Email Service (SES) is used to send notifications to the end-users.

[1] https://github.com/aws-samples/aws-iam-access-key-auto-rotation

AWS
répondu il y a 2 mois
0

Several automation solutions, both provided by AWS and third-party vendors, are currently in place. Please evaluate and test them thoroughly. If necessary, you may modify these solutions to better suit your requirements before rolling them out.

Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager AWS IAM Access Key Rotation GitHub GitHub Action Rotate AWS Access Keys

You can use this solution, where you can encourage users to manage their IAM Access keys rotation by themselves : https://github.com/stefansundin/aws-rotate-key

AWS
répondu il y a 2 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions