Automatically rotate IAM user access keys - AWS Prescriptive Guidance

Automatically rotate IAM user access keys

Created by Tracy Pierce (AWS) and Laura Seletos (AWS)

Environment: PoC or pilot

Technologies: Security, identity, compliance

AWS services: Amazon SNS; AWS CloudFormation; Amazon DynamoDB; AWS Identity and Access Management; AWS Lambda; Amazon S3

Summary

Access keys are long-term credentials for an AWS Identity and Access Management (IAM) user or the Amazon Web Services (AWS) account root user. Regularly rotating your IAM credentials helps prevent a compromised set of IAM access keys from accessing components in your AWS account. Rotating IAM credentials is also an important part of security best practices in IAM.

This pattern helps you automatically rotate IAM access keys with an AWS CloudFormation template. By using this pattern, you can ensure that the following actions are performed:

  • New IAM access keys are generated when existing access keys are 90 days old. 

  • The new access keys are stored as a secret in AWS Secrets Manager. A resource-based policy allows only the specified IAM principal to access and retrieve the secret.

  • The account owner of the new access keys receives a notification email.

  • The previous access keys are deactivated at 100 days old.

  • The previous access keys are then deleted at 110 days old.

AWS Lambda functions and Amazon EventBridge automatically perform these actions. You can then retrieve the new access key pair and replace them in your code or applications.

Prerequisites and limitations

Prerequisites 

  • An active AWS account.

  • An IAM principal with permissions to launch the AWS CloudFormation template and associated resources. For more information about this, see Grant self-managed permissions in the AWS CloudFormation documentation.

  • The csv-to-s3-account-emails.csv file from the GitHub aws-iam-access-key-auto-rotation repository must be updated to include your AWS account IDs and relevant email addresses.

  • An existing Amazon Simple Storage Service (Amazon S3) bucket in the US East (N. Virginia) Region (us-east-1).

  • Amazon Simple Email Service (Amazon SES) must be out of the sandbox. For more information, see Moving out of the Amazon SES sandbox in the Amazon SES documentation.   

Architecture

Technology stack  

  • Amazon DynamoDB 

  • EventBridge 

  • IAM 

  • Lambda 

  • Secrets Manager 

  • Amazon SES

  • Amazon Simple Notification Service (Amazon SNS) 

Automation and scale

If you use AWS Organizations, you can use AWS CloudFormation StackSets to deploy this template in multiple accounts.

Tools

  • Amazon DynamoDB – Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability.

  • Amazon EventBridge – Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources.

  • AWS Identity and Access Management – AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.

  • AWS Lambda – AWS Lambda is a compute service that helps you run code without provisioning or managing servers.

  • AWS Secrets Manager – AWS Secrets Manager helps you to securely encrypt, store, and retrieve credentials for your databases and other services. 

  • Amazon SES – Amazon Simple Email Service (Amazon SES) is a reliable, scalable, and cost-effective email service that helps you send notification emails.

  • Amazon SNS – Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers.

Code

The required AWS CloudFormation templates and Python scripts are available in the GitHub aws-iam-access-key-auto-rotation repository.

Epics

Task Description Skills required
Choose your deployment S3 bucket.

Sign in to the AWS Management Console, open the Amazon S3 console, and then choose the S3 bucket for your deployment.

Important: The S3 bucket must be in the US East (N. Virginia) Region (us-east-1). 

Cloud architect
Clone the repository.

Clone the GitHub aws-iam-access-key-auto-rotation repository to your local desktop.

Cloud architect
Upload the files to the S3 bucket.

Upload the cloned files to your S3 bucket.

Launch the iam-key-auto-rotation-and-notifier.yaml template and follow the steps on the AWS CloudFormation console to create your resources. For more information about this, see Selecting a stack template in the AWS CloudFormation documentation.

Make sure that you provide the following parameters for the AWS CloudFormation template:

  • The name of the deployment S3 bucket that contains your Lambda code.

  • The S3 bucket’s prefix.

  • A name for the new S3 bucket for DynamoDB.

  • The name of the .csv file (including the suffix) that you want to import to DynamoDB.  By default, the name provided is csv-to-s3-account-emails.csv.

  • A name for the DynamoDB table.

  • A valid email address that can be used in the "sent from" section of email notifications.

Cloud architect
Upload the .csv file to the new S3 bucket.

Upload the csv-to-s3-account-emails.csv file to the newly created S3 bucket for DynamoDB. This automatically begins the data import into your DynamoDB table. 

Important: You must update the csv-to-s3-account-emails.csv file to include your AWS account IDs and relevant email addresses.

Cloud architect