How do I securely manage IAM access keys?

Resolution

To manage your IAM access keys, take the following actions.

Update IAM access keys regularly

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Update user access keys on a regular schedule to reduce the risk of unauthorized access if a key is compromised. It's a best practice to rotate your access keys at least every 90 days.

Use the AWS Management Console or AWS CLI to update user access keys.

Monitor IAM access key usage

To identify old or unused keys before you rotate or deactivate them, use AWS CloudTrail and Amazon CloudWatch alarms to monitor where and how your access keys are used.

Respond to compromised IAM access keys

If you suspect that you have a compromised access key, then immediately deactivate the compromised key to limit the blast radius and secure your account.

Review your CloudTrail logs to identify unauthorized API calls that were made with the compromised key. For instructions on filtering CloudTrail events by access key ID, see Logging IAM Access Analyzer API calls with AWS CloudTrail.

After you deactivate the compromised key, take the following actions:

• Review your account for unauthorized IAM users, roles, and policies. For more information, see AWS security audit guidelines.
• Check for unauthorized Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Simple Storage Service (Amazon S3) bucket policy changes, and security group modifications.
• Keep the AWSCompromisedKeyQuarantineV3 policy in place until you complete all remediation steps. If you remove it prematurely, then it can affect your eligibility for AWS account concessions related to the security incident.
• Review your billing dashboard for unexpected cost spikes that indicate unauthorized resource usage.

To detect ongoing threats and anomalous activity, turn on Amazon GuardDuty.

Update the alternate contacts for your AWS account for future security notifications.

Use alternatives to long-term IAM access keys

Long-term access keys pose a persistent security risk. It's a best practice to replace them with temporary credentials if possible.

For AWS services

Make sure that you assign IAM roles to Amazon EC2, AWS Lambda, and Amazon Elastic Container Service (Amazon ECS) instead of embedding access keys in application code. IAM roles provide temporary credentials that automatically rotate. To create and assign IAM roles, see Create a role to give permissions to an IAM user.

For individual users

AWS IAM Identity Center provides federated access with temporary credentials for individual users. This removes the need for long-term access keys for console and programmatic access. To learn more, see What is AWS IAM Identity Center?

For on-premises workloads

For workloads outside of AWS that require programmatic access, use AWS IAM Roles Anywhere to provide temporary credentials when you use X.509 certificates. For more information, see Using IAM Roles Anywhere to authorize off-cloud devices to access AWS resources.

Related information

Manage access keys for IAM users

Beyond IAM access keys: Modern authentication approaches for AWS

What to do if you inadvertently expose an AWS access key