IAM user access keys should be rotated every 90 days or less


Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests to AWS via the AWS CLI, PowerShell, or APIs. It is recommended that all access keys be rotated every 90 days or less.

Console Remediation Steps

  • Navigate to IAM.

  • Follow the instructions described here.

CLI Remediation Steps

  • Rotate access keys within AWS CLI:

    • aws iam create-access-key

    • aws iam get-access-key-last-used

    • aws iam update-access-key

  • Validate that the new access key is working and then delete the old key.

    • aws iam delete-access-key