As a security best practice, we recommend that you, an administrator, or your users regularly rotate (change) the credentials for IAM users in your account. You can apply a password policy to your account to require all your IAM users to rotate their passwords, and you can choose how often they must do so.
For more information about setting a password policy in your account, see Setting an Account Password Policy for IAM Users.
If you use the AWS account credentials on a regular basis, we recommend that you also regularly rotate those. The account password policy does not apply to the AWS account credentials. IAM users cannot manage credentials for the AWS account, so you must use the AWS account's credentials (not a user's) to change the AWS account credentials. Note that we recommend against using the AWS account credentials for everyday work in AWS.
The following steps describe the general process for rotating either an access key or a certificate without interrupting your applications. These steps show the CLI and API commands for rotating credentials. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing User Access Keys (AWS Management Console).
While the first set of credentials is still active, create a second set of credentials (or upload a second one, in the case of a certificate), which will be active by default. At this point, the user has two active sets of credentials.
Update all applications to use the new credentials.
Change the state of the first set of credentials to
Using only the new credentials, confirm that your applications are working well. If you
need to, you can revert to using the original set of credentials by switching its state back
Delete the first set of credentials.
For more information, see the following:
How to rotate access keys for IAM users. This entry on the AWS Security Blog provides more information on key rotation.
Creating, Modifying, and Viewing User Access Keys (AWS Management Console). This page describes how to use the AWS Management Console to manage access keys.
Permissions for Administering IAM Users, Groups, and Credentials. This page discusses how to grant permissions to IAM users so that they can manage their own credentials, including access keys.
IAM Best Practices. This page provides general recommendations for helping to secure your AWS resources.
Setting an Account Password Policy for IAM Users. This topic describes how to set a password policy on your AWS account, including how to require that IAM users rotate their passwords after a specified number of days.