AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Rotating Credentials

As a security best practice, we recommend that you, an administrator, or your users regularly rotate (change) the credentials for IAM users in your account. You can apply a password policy to your account to require all your IAM users to rotate their passwords, and you can choose how often they must do so.

For more information about setting a password policy in your account, see Setting an Account Password Policy for IAM Users.

Important

If you use the AWS account credentials on a regular basis, we recommend that you also regularly rotate those. The account password policy does not apply to the AWS account credentials. IAM users cannot manage credentials for the AWS account, so you must use the AWS account's credentials (not a user's) to change the AWS account credentials. Note that we recommend against using the AWS account credentials for everyday work in AWS.

The following steps describe the general process for rotating an access key without interrupting your applications. These steps show the CLI and API commands for rotating access keys. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing User Access Keys (AWS Management Console).

  1. While the first access key is still active, create a second access key, which will be active by default. At this point, the user has two active access keys.

    CLI: aws iam create-access-key

    API: CreateAccessKey

  2. Update all applications to use the new access key.

  3. Change the state of the first access key to Inactive.

    CLI: aws iam update-access-key

    API: UpdateAccessKey

  4. Using only the new access key, confirm that your applications are working well. If you need to, you can revert to using the original access key by switching its state back to Active.

  5. Delete the first access key.

    CLI: aws iam delete-access-key

    API: DeleteAccessKey

For more information, see the following: