IAM user access keys should be rotated every 90 days or less¶
Description¶
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests to AWS via the AWS CLI, PowerShell, or APIs. It is recommended that all access keys be rotated every 90 days or less.
CLI Remediation Steps¶
Rotate access keys within AWS CLI:
Create new access key:
aws iam create-access-key --user-name <user name>
Determine when the old key was last used:
aws iam get-access-key-last-used --access-key-id <id>
Change the old key’s status to inactive:
aws iam update-access-key --access-key-id <id> --status Inactive
Validate that the new access key is working and then delete the old key:
aws iam delete-access-key --access-key-id <id>