By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Auto Rotate IAM access keys

0

Is there a link or document to get information on how to auto rotate IAM access keys using lambda + Secrets Manager + SNS... Not SES . I tried the SES way but doesn't want that route

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAWS Secrets ManagerIAM Policies
Language
English
JoshithaM
asked 23 days ago42 views
1 Answer
0

Yes, there is a solution for automatically rotating IAM user access keys at scale using AWS Lambda, AWS Secrets Manager, and AWS Organizations. This solution can be adapted to use SNS instead of SES for notifications.

The solution involves using AWS CloudFormation templates that deploy a Python Lambda function to automatically rotate IAM Users' Access Keys. By default, it rotates keys every 90 days, but this can be customized to your desired frequency.

Here's how the process works:

  1. An EventBridge rule runs at regular intervals, triggering a Lambda function.
  2. The Lambda function checks all user access keys based on their creation date.
  3. If an access key is older than the defined rotation period, a new key is created.
  4. The old key is stored in AWS Secrets Manager and eventually deleted after an inactive period.
  5. The old key is disabled after an inactive buffer period to ensure it's no longer used.
  6. Notifications are sent to the account owner when a key is rotated.

To adapt this solution to use SNS instead of SES, you would need to modify the notification part of the Lambda function to publish messages to an SNS topic instead of sending emails via SES. SNS can then be configured to deliver these notifications through various channels, including email, SMS, or other endpoints.

This solution can be deployed in a single account or across multiple accounts within an AWS Organization. It uses several AWS services including Lambda, EventBridge, IAM, Organizations, S3, and Secrets Manager to achieve automated, scalable key rotation.

Remember to thoroughly test any modifications to the solution in a non-production environment before implementing it in your production accounts.
Sources
Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager - AWS Prescriptive Guidance
I have an aws account with more than 1000 iam users. I need to rotate access / secret keys in an effective way. | AWS re:Post
Centralize IAM access key management in AWS Organizations by using Terraform - AWS Prescriptive Guidance

profile picture
re:Post Agent
answered 23 days ago
profile picture
EXPERT
Gary Mclean
reviewed 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content