AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Rotating Credentials

As a security best practice, we recommend that you, an administrator, or your users regularly rotate (change) the credentials for IAM users in your account. You can apply a password policy to your account to require all your IAM users to rotate their passwords, and you can choose how often they must do so.

For more information about setting a password policy in your account, see Setting an Account Password Policy for IAM Users.


If you use the AWS account credentials on a regular basis, we recommend that you also regularly rotate those. The account password policy does not apply to the AWS account credentials. IAM users cannot manage credentials for the AWS account, so you must use the AWS account's credentials (not a user's) to change the AWS account credentials. Note that we recommend against using the AWS account credentials for everyday work in AWS.

The following steps describe the general process for rotating either an access key or a certificate without interrupting your applications. These steps show the CLI and API commands for rotating credentials. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing User Access Keys (AWS Management Console).

  1. While the first set of credentials is still active, create a second set of credentials (or upload a second one, in the case of a certificate), which will be active by default. At this point, the user has two active sets of credentials.

    CLI: aws iam create-access-key or aws iam upload-signing-certificate

    API: CreateAccessKey or UploadSigningCertificate

  2. Update all applications to use the new credentials.

  3. Change the state of the first set of credentials to Inactive.

    CLI: aws iam update-access-key or aws iam update-signing-certificate

    API: UpdateAccessKey or UpdateSigningCertificate

  4. Using only the new credentials, confirm that your applications are working well. If you need to, you can revert to using the original set of credentials by switching its state back to Active.

  5. Delete the first set of credentials.

    CLI: aws iam delete-access-key or aws iam delete-signing-certificate

    API: DeleteAccessKey or DeleteSigningCertificate

For more information, see the following: