How to automate access key rotation for IAM users


Hello everyone,

I am trying to figure out a way to automate access key rotation for IAM users. We have several users that have their own IAM programmatic access key and I am trying to figure out a way to force the user to rotate their access key after 90 days. It would be nice to also have some sort of SNS topic that will inform the user.

I attempted to use the ASA Key Rotation document that AWS provided but kept on running into CloudFormation template errors which include Malformed Document and missing resources in the .PY files.

Any guidance on this would be awesome.

Thank you!

3 Answers

If the credentials are for users, a best practice would be to use temporary credentials. Access keys are long-term credentials that you may not need.

  • Here is a blog that shows you how to get temporary credentials with AWS IAM Identity Center.

  • You can also get temporary credentials with the AWS CLI and AWS IAM Identity center. Here is a knowledge center article.

If you still want to use the aws-iam-access-key-auto-rotation solution, it looks like the files are on the GitHub repo.

profile pictureAWS
answered a year ago

Here is an alternative that is well documented. I didn't try it but it should work. It uses AWS Secret Manager and Lambda, with SNS for notification as required.

answered 4 months ago

You might want to also consider transitioning these IAM Users to IAM Roles Anywhere.

profile pictureAWS
answered a year ago
  • This does nothing except extend roles to workloads outside of AWS, why is it any more applicable here than using standard roles?

  • It transitions from using IAM Users with long-term access keys that have to be rotated to using IAM Roles that have short-term access keys.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions