Tag: Key Rotation


How to Rotate Access Keys for IAM Users

by Ben Brauer | on | in Best Practices, How-to guides | | Comments

Changing access keys (which consist of an access key ID and a secret access key) on a regular schedule is a well-known security best practice because it shortens the period an access key is active and therefore reduces the business impact if they are compromised. Having an established process that is run regularly also ensures the operational steps around key rotation are verified, so changing a key is never a scary step.

In an earlier post, we described Identity and Access Management (IAM) roles for Amazon EC2. If you run applications on EC2 that need access to AWS services, we strongly recommend using this feature. Roles use temporary security credentials that auto-expire and auto-renew, so you don’t have to worry about access key rotation – AWS does it for you. However, if you are running applications somewhere other than on EC2, you should add access key rotation to your application management process. In this post, Cristian Ilac, software development manager on the IAM team, will walk you through the steps to rotate access keys for an IAM user.  (more…)

A Safer Way to Distribute AWS Credentials to EC2

by Ben Brauer | on | in Best Practices, How-to guides | | Comments

If you have applications running on EC2 that also access other AWS services like Amazon S3 or Amazon DynamoDB, then these applications require credentials out on the EC2 instance.  You can hard-code AWS access keys into your application, but you’re faced with the added responsibility of distributing them to the instance securely and then the management headache of regularly rotating them within large, autoscaling fleets.

This week’s guest blogger, Will Kruse, Security Engineer on the AWS Identity and Access Management (IAM) team, will explain how you can easily and securely manage your AWS access keys using a feature called IAM roles for EC2. He’ll also provide sample commands that let you locate any previously hard-coded secret keys. (more…)