I have an aws account with more than 1000 iam users. I need to rotate access / secret keys in an effective way.

0

I need to rotate keys every month. notification needs to be sent to users before rotating next key. like password expiry email which we receive usually also we need to store this keys aws account. so that specific user can login and can access only his keys

need suggestions on implementing this

posta 2 mesi fa189 visualizzazioni
3 Risposte
2

Hi,

Why don't you use AWS KMS to do that: https://aws.amazon.com/kms/

  • it can manage automatic scheduled key rotation for you
  • given proper credendials given to your users, it's place for them to find their userid password when they forget it
  • A least privilege auth schema will allow you to make sure that only a given user will see its KMS-encrypted password. Not even you sysadmins needs to see it.
  • User can at any time decode the encrypted credentials to find the new value
  • you can set up some EventBridge event + automatic SNS notification email to tell them that password has been rotated

They can deccrypt their credentials directly from AWS console, or by using the CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html

Best

Didier

profile pictureAWS
ESPERTO
con risposta 2 mesi fa
profile picture
ESPERTO
verificato 2 mesi fa
profile pictureAWS
ESPERTO
iBehr
verificato 2 mesi fa
0

Hello,

You could use the AWS IAM Key Rotation repository [1] as a model. A set of CloudFormation templates will deploy a Python Lambda function that will automatically rotate your IAM Users' Access Keys every 90 days by default, which can be customized to 30 days as per your need. Amazon Simple Email Service (SES) is used to send notifications to the end-users.

[1] https://github.com/aws-samples/aws-iam-access-key-auto-rotation

AWS
con risposta 2 mesi fa
0

Several automation solutions, both provided by AWS and third-party vendors, are currently in place. Please evaluate and test them thoroughly. If necessary, you may modify these solutions to better suit your requirements before rolling them out.

Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager AWS IAM Access Key Rotation GitHub GitHub Action Rotate AWS Access Keys

You can use this solution, where you can encourage users to manage their IAM Access keys rotation by themselves : https://github.com/stefansundin/aws-rotate-key

AWS
con risposta 2 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande