- Newest
- Most votes
- Most comments
Hi,
Why don't you use AWS KMS to do that: https://aws.amazon.com/kms/
- it can manage automatic scheduled key rotation for you
- given proper credendials given to your users, it's place for them to find their userid password when they forget it
- A least privilege auth schema will allow you to make sure that only a given user will see its KMS-encrypted password. Not even you sysadmins needs to see it.
- User can at any time decode the encrypted credentials to find the new value
- you can set up some EventBridge event + automatic SNS notification email to tell them that password has been rotated
They can deccrypt their credentials directly from AWS console, or by using the CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html
Best
Didier
Hello,
You could use the AWS IAM Key Rotation repository [1] as a model. A set of CloudFormation templates will deploy a Python Lambda function that will automatically rotate your IAM Users' Access Keys every 90 days by default, which can be customized to 30 days as per your need. Amazon Simple Email Service (SES) is used to send notifications to the end-users.
[1] https://github.com/aws-samples/aws-iam-access-key-auto-rotation
Several automation solutions, both provided by AWS and third-party vendors, are currently in place. Please evaluate and test them thoroughly. If necessary, you may modify these solutions to better suit your requirements before rolling them out.
Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager AWS IAM Access Key Rotation GitHub GitHub Action Rotate AWS Access Keys
You can use this solution, where you can encourage users to manage their IAM Access keys rotation by themselves : https://github.com/stefansundin/aws-rotate-key
Relevant content
- asked 4 months ago
- asked 2 years ago
- asked 5 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago