Profile Applicability:
Level 1


Description:
This control ensures that IAM user access keys are rotated every 90 days or less to reduce the risk of unauthorized access caused by exposed, compromised, or outdated credentials. Regular rotation limits the potential damage from stolen access keys and enforces better credential hygiene for AWS accounts.


Rationale:
Access keys that remain active for long periods increase the risk of misuse if compromised. Rotating access keys frequently — ideally every 90 days or less — ensures that outdated keys are revoked promptly, helping maintain strong identity security and compliance with security frameworks like CIS, SOC 2, ISO 27001, and NIST 800-53. This practice is especially important for accounts used in automation scripts or API calls.


Impact:
Positive Impact: Improves account security by limiting exposure from compromised credentials and maintaining compliance with identity and access management best practices.
Negative Impact: Requires periodic operational updates in scripts, applications, or systems using programmatic access keys.


Default Value:
By default, AWS does not automatically rotate access keys. Rotation must be managed manually or via automation.

Pre-Requisite:

  • IAM permissions required: iam:ListUsers, iam:ListAccessKeys, iam:GetAccessKeyLastUsed, iam:UpdateAccessKey, and iam:DeleteAccessKey.

  • Clear documentation or automation mechanism to update credentials in dependent systems.

Test Plan
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM → Users.

  3. Select a user and open the Security credentials tab.

  4. Review Access keys and check the Last rotated or Created on date.

  5. Identify access keys older than 90 days that are still active.

  6. If such keys exist, the account is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Navigate to IAM → Users → [User Name] → Security credentials.

  2. Identify the active access key older than 90 days.

  3. Choose Create access key to generate a new key pair (Access Key ID and Secret Access Key).

  4. Update all applications, scripts, or tools that use the old key with the new credentials.

  5. After verifying that the new key works correctly, disable the old key by selecting Make inactive.

  6. Once confirmed that no dependencies rely on the old key, delete it.

  7. Repeat this process for all IAM users.

Backout Plan:

  1. If a newly rotated key causes application failures, temporarily re-enable the previous key.

  2. Verify and correct credential configurations in dependent systems.

  3. Disable and delete the old key once successful access is restored.

References: