Rotating Access Keys
How to Protect Access Keys
AWS access keys need to be protected. AWS explains, “Access keys consist of two parts: an access key ID and a secret access key. Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.” Best practices for managing and protecting access keys include not creating a root user access key, using IAM roles instead of long-term access keys, and establishing a key rotation schedule. We recommend rotating access keys every 90 days.
To learn more, visit the AWS best practices for managing AWS access keys.
AWS access keys allow users to execute programmatic commands against their AWS environment. As such, it’s very critical that these keys are protected. To limit the exposure of potentially compromised keys, the organization should rotate their keys every 90 days. To see the last time your keys rotated, log into your AWS Management Console, go to the IAM Dashboard, then use the generate credential report to generate an AWS credentials report. This will allow users to see the last time that their keys were rotated. Users can also generate the credentials report using the AWS CLI, using the generate credentials report command.