IAM user access keys should be rotated every 90 days or less


Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests to AWS via the AWS CLI, PowerShell, or APIs. It is recommended that all access keys be rotated every 90 days or less.

Console Remediation Steps

  • Navigate to IAM.

  • Follow the instructions described here.

CLI Remediation Steps

  • Rotate access keys within AWS CLI:

    • Create new access key:

      • aws iam create-access-key --user-name <user name>

    • Determine when the old key was last used:

      • aws iam get-access-key-last-used --access-key-id <id>

    • Change the old key’s status to inactive:

      • aws iam update-access-key --access-key-id <id> --status Inactive

  • Validate that the new access key is working and then delete the old key:

    • aws iam delete-access-key --access-key-id <id>