By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to automate access key rotation for IAM users

1

Hello everyone,

I am trying to figure out a way to automate access key rotation for IAM users. We have several users that have their own IAM programmatic access key and I am trying to figure out a way to force the user to rotate their access key after 90 days. It would be nice to also have some sort of SNS topic that will inform the user.

I attempted to use the ASA Key Rotation document that AWS provided but kept on running into CloudFormation template errors which include Malformed Document and missing resources in the .PY files.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html

Any guidance on this would be awesome.

Thank you!

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementAWS Command Line InterfaceIAM Policies
Language
English
rePost-User-7010889
asked 2 years ago8.4K views
3 Answers
0

If the credentials are for users, a best practice would be to use temporary credentials. Access keys are long-term credentials that you may not need.

  • Here is a blog that shows you how to get temporary credentials with AWS IAM Identity Center.

  • You can also get temporary credentials with the AWS CLI and AWS IAM Identity center. Here is a knowledge center article.

If you still want to use the aws-iam-access-key-auto-rotation solution, it looks like the files are on the GitHub repo.

profile pictureAWS
Jeremy_S
answered 2 years ago
0

Here is an alternative that is well documented. I didn't try it but it should work. It uses AWS Secret Manager and Lambda, with SNS for notification as required.

Shams
answered a year ago
-1

You might want to also consider transitioning these IAM Users to IAM Roles Anywhere.

profile pictureAWS
EXPERT
kentrad
answered 2 years ago
  • jwesley
    2 years ago

    This does nothing except extend roles to workloads outside of AWS, why is it any more applicable here than using standard roles?

  • kentrad EXPERT
    2 years ago

    It transitions from using IAM Users with long-term access keys that have to be rotated to using IAM Roles that have short-term access keys.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content