AWS Developer Blog

IAM Credential Rotation (Access Key Management for .NET Applications – Part 3)

by Milind Gokarn | on | in .NET | Permalink | Comments |  Share

In the previous post in this series, we talked about using IAM users instead of using the root access keys of your AWS account. In this post, we’ll talk about another security best practice, regularly rotating your credentials.

Instead of rotating credentials only when keys are compromised, you should regularly rotate your credentials. If you follow this approach, you’ll have a process in place that takes care of rotating keys if they are compromised, instead of figuring it out when the event takes place. You’ll also have some degree of protection against keys that are compromised without your knowledge, as those keys will only be valid for a certain period, before they are rotated.

We use the following steps for access key rotation to minimize any disruption to running applications:

  • Generate new access key
  • Securely distribute the access key to your applications
  • Disable the old access key
  • Make sure that your applications work with the new key
  • Delete the old access key

Here is the code that performs some of these steps. How you implement distributing the key to your applications and testing the applications is specific to your solution.

var iamClient = new AmazonIdentityManagementServiceClient(ACCESS_KEY, SECRET_KEY, RegionEndpoint.USWest2);
            
// Generate new access key for the current account
var accessKey = iamClient.CreateAccessKey().AccessKey;
	
//
// Store the access key ID (accessKey.AccessKeyId) and 
// secret access key (accessKey.SecretAccessKey)
// securely and distribute it to your applications.
//

// Disable the old access key
iamClient.UpdateAccessKey(new UpdateAccessKeyRequest
{
  AccessKeyId = OLD_ACCESS_KEY_ID,
  Status = StatusType.Inactive
});

// 
// Confirm that your applications pick the new access key
// and work properly using the new key.
//

// Delete the old access key.
iamClient.DeleteAccessKey(new DeleteAccessKeyRequest
{
  AccessKeyId = OLD_ACCESS_KEY_ID
});

If your applications don’t work properly after switching to the new access key, you can always reactivate the old access key (from inactive state) and switch back to it. Only delete the old access keys after testing your applications as they cannot be restored once deleted.