I have an aws account with more than 1000 iam users. I need to rotate access / secret keys in an effective way.

0

I need to rotate keys every month. notification needs to be sent to users before rotating next key. like password expiry email which we receive usually also we need to store this keys aws account. so that specific user can login and can access only his keys

need suggestions on implementing this

질문됨 2달 전185회 조회
3개 답변
2

Hi,

Why don't you use AWS KMS to do that: https://aws.amazon.com/kms/

  • it can manage automatic scheduled key rotation for you
  • given proper credendials given to your users, it's place for them to find their userid password when they forget it
  • A least privilege auth schema will allow you to make sure that only a given user will see its KMS-encrypted password. Not even you sysadmins needs to see it.
  • User can at any time decode the encrypted credentials to find the new value
  • you can set up some EventBridge event + automatic SNS notification email to tell them that password has been rotated

They can deccrypt their credentials directly from AWS console, or by using the CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html

Best

Didier

profile pictureAWS
전문가
답변함 2달 전
profile picture
전문가
검토됨 2달 전
profile pictureAWS
전문가
iBehr
검토됨 2달 전
0

Hello,

You could use the AWS IAM Key Rotation repository [1] as a model. A set of CloudFormation templates will deploy a Python Lambda function that will automatically rotate your IAM Users' Access Keys every 90 days by default, which can be customized to 30 days as per your need. Amazon Simple Email Service (SES) is used to send notifications to the end-users.

[1] https://github.com/aws-samples/aws-iam-access-key-auto-rotation

AWS
답변함 2달 전
0

Several automation solutions, both provided by AWS and third-party vendors, are currently in place. Please evaluate and test them thoroughly. If necessary, you may modify these solutions to better suit your requirements before rolling them out.

Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager AWS IAM Access Key Rotation GitHub GitHub Action Rotate AWS Access Keys

You can use this solution, where you can encourage users to manage their IAM Access keys rotation by themselves : https://github.com/stefansundin/aws-rotate-key

AWS
답변함 2달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인