Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
By rotating access keys every 90 days, you can make your AWS account more secure and reliable.
By default AWS will not rotate keys at any time, we need to do it periodically.
- Sign in to the AWS Management Console.
- Navigate to IAM service at https://console.aws.amazon.com/iam/.
- Click on the Users in the left navigation pane
- Click on the username that you want to check
- Select the Security Credentials tab and go to the Access keys section
- Under the Access Keys section check the created column to know when the key was created
- If you notice that the key was created before 90 days follow the implementation steps to rotate the keys
Using AWS CLI:
This command gives the list of access keys
aws iam list-access-keys --user-name ABC
Or you can also use a credential report
Using AWS CLI:
aws iam update-access-key --access-key-id <ABCDE> --status Inactive --user-name <ABC>
If you lose or forget your secret key, you cannot retrieve it. Instead, create a new access key and make the old key inactive.