Ensure access keys are rotated every 90 days or less

1.4 Identity and Access Management (AWS CIS Benchmark).


Access keys consist of an access key ID and a secret access key, which are used together to sign programmatic requests that you make to AWS.

AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.

It is recommended that all access keys be regularly rotated.

Rotate access keys via the AWS Management Console

Step 1. Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

Step 2. Click on Services.

Step 3. Click on IAM.

Step 4. Click on Users.

Step 5. Click on Security Credentials.

Step 6. As an Administrator, click on Make Inactive for keys that have not been rotated in 90 Days.

As an IAM User, click on Make Inactive or Delete for keys that have not been rotated or used in 90 Days.

Step 7. Click on Create Access Key.

Step 9. Update programmatic call with new Access Key credentials.

Rotate access keys via CLI

Run the following command:

aws iam update-access-key aws iam create-access-key aws iam delete-access-key