As a security best practice, AWS recommends that administrators require
IAM users to periodically regenerate their API access keys.
This aws-rotate-key
tool allows users to easily rotate all of the AWS access keys defined in their local
aws credentials file.
The program will use the AWS API to check which access keys exist for the provided profile. If only one access key exists, then it will deactivate that key and update your credentials file to use a newly generated key. The old key will only be deactivated (not deleted), so that if you later find out you use the old key elsewhere, you can open the AWS console and reactivate it. If two access keys exist, then you will be asked whether you want to delete the key which is not currently configured in your credentials file to create an empty slot for the key rotation. Then, it will perform the same key rotation logic on the remaining key.
Usage of aws-rotate-key:
-profile string
The profile to use. (default "default")
-version
Print version number (1.0.4)
-y
Automatic "yes" to prompts.
-d
Delete old key without deactivation.
someone$ aws-rotate-key --profile primary
Using access key A123 from profile "primary".
Your user arn is: arn:aws:iam::123456789012:user/[email protected]
You have 2 access keys associated with your user:
-A123 (Inactive, created 2015-01-01 02:55:00 +0000 UTC, last used 2016-01-01 00:02:00 +0000 UTC for service sts in us-east-1)
- B123 (Active, created 2016-01-01 00:02:47 +0000 UTC, last used 2016-01-01 00:03:00 +0000 UTC for service s3 in N/A)
You have two access keys, which is the max number of access keys.
Do you want to delete A123 and create a new key? [yN] y
Deleted access key A123.
Created access key C123.
Wrote new key pair to /Users/someone/.aws/credentials
Deactivated old access key B123.
Please make sure this key is not used elsewhere.
You can download the 64-bit binaries from the releases section of this repository.
Or, you can use our homebrew tap on OSX:
brew tap fullscreen/tap
brew install aws-rotate-key
aws-rotate-key
Make sure your users have permissions to update their own access keys via the CLI. The AWS documentation here explains the required permissions and the following IAM profile should get you setup:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:DeleteAccessKey",
"iam:CreateAccessKey",
"iam:UpdateAccessKey"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
}
]
}
Replace AWS_ACCOUNT_ID
with your AWS account id.
To download and hack on the source code, run:
$ go get -u github.com/Fullscreen/aws-rotate-key
$ cd $GOPATH/src/github.com/Fullscreen/aws-rotate-key
$ go build