使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款

How do I delete, deactivate, or rotate root access keys in AWS GovCloud (US) accounts?

2 分的閱讀內容
0

My organization uses AWS GovCloud (US) to run workloads. Because of a security incident or compliance requirement, my organization now requires that all root user account access keys be deleted, deactivated, or rotated.

Short description

When you sign up for an AWS account, you are issued a single sign-in identity called the AWS account root user ("root user"). The root user can access all AWS services and resources in your AWS account. After you complete the AWS GovCloud (US) sign up process with your root user credentials, the AWS GovCloud (US) account root user is also created.

Important: It's a best practice to use the AWS account root user only when you create your first AWS Identity and Access Management (IAM) user. After you create that first IAM user, lock away the root user access keys and use them only to perform a few tasks. Use your IAM user account for your day-to-day tasks.

Resolution

Follow these steps to delete, deactivate, or rotate root access keys for your AWS GovCloud (US) account.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Configure root access keys in the AWS CLI

As your first step, configure the AWS CLI with your AWS GovCloud (US) account root user access keys. You can also use the AWS CLI for local use. For instructions, see Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell).

Verify that root access keys exist

To verify that your AWS GovCloud (US) account has a root access key, see Does my AWS GovCloud (US) account have existing root access keys?

Delete root access keys

To delete a root access key, follow the instructions for Deleting my AWS GovCloud (US) account root user access keys.

Deactivate root access keys

To deactivate a root access key, run the AWS CLI command update-access-key similar to the following:

aws iam update-access-key --access-key-id AKIAEXAMPLE123456789 --status Inactive

Rotate root access keys

To rotate root access keys, follow the instructions to Rotate my AWS GovCloud (US) account root user access keys.

Related information

How IAM Differs for AWS GovCloud (US)

AWS 官方
AWS 官方已更新 3 個月前