As a security best practice, we recommend that you, an administrator, or your users regularly rotate (change) the credentials for IAM users in your account. You can apply a password policy to your account to require all your IAM users to rotate their passwords, and you can choose how often they must do so.
For more information about setting a password policy in your account, see Setting an Account Password Policy for IAM Users.
If you use the AWS account credentials on a regular basis, we recommend that you also regularly rotate those. The account password policy does not apply to the AWS account credentials. IAM users cannot manage credentials for the AWS account, so you must use the AWS account's credentials (not a user's) to change the AWS account credentials. Note that we recommend against using the AWS account credentials for everyday work in AWS.
The following steps describe the general process for rotating an access key without interrupting your applications. These steps show the CLI and API commands for rotating access keys. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing User Access Keys (AWS Management Console).
While the first access key is still active, create a second access key, which will be active by default. At this point, the user has two active access keys.
Update all applications to use the new access key.
Change the state of the first access key to
Using only the new access key, confirm that your applications are working well. If you
need to, you can revert to using the original access key by switching its state back
Delete the first access key.
For more information, see the following:
How to rotate access keys for IAM users. This entry on the AWS Security Blog provides more information on key rotation.
Creating, Modifying, and Viewing User Access Keys (AWS Management Console). This page describes how to use the AWS Management Console to manage access keys.
Permissions for Administering IAM Users, Groups, and Credentials. This page discusses how to grant permissions to IAM users so that they can manage their own credentials, including access keys.
IAM Best Practices. This page provides general recommendations for helping to secure your AWS resources.
Setting an Account Password Policy for IAM Users. This topic describes how to set a password policy on your AWS account, including how to require that IAM users rotate their passwords after a specified number of days.