Stuart Scott

September 28, 2023

Why You Should Audit and Rotate Your AWS Credentials Periodically

In this post I want to discuss and highlight a security best practice that should be adopted as a part of your security processes and procedures, this being the need to audit and rotate your AWS security credentials on a periodic basis.

As we know, we live in a world where cyber security attacks are all too common, and although there are complex and advanced tools and services we can put in place to reduce the attack surface, we can also introduce and adopt some simple but very effective controls. One entry point attackers use to gain access to restricted environments is to comprise usernames and passwords, effectively a user’s credentials, which may then grant the attacker privileges to accomplish specific tasks. So what are some of the ways to reduce this risk?

By rotating our AWS credentials regularly we don’t leave our account open to long-lived credentials being used which can lead to unnecessary risks of being compromised. So getting into the habit of using short-term credentials ultimately makes the associated user accounts more secure.

Where possible when accessing AWS resources we should try to use temporary credentials, such as those provided by IAM roles, but this is not always feasible for every use case. As a result, there will be times, mainly for human user accounts, when you’ll be using credentials within your AWS account. These accounts should be audited to ensure that they are still being used and if so, highlight which credentials should be rotated to reduce your security risk. If a set of credentials is compromised it can lead to huge security breaches, denial of access to your legitimate accounts, wide-scale outages, and much more. In addition to performing regular audits, you should set a password expiration period within your IAM password policy to ensure that the user’s password credentials are forcibly changed on a regular basis.

AWS Credential Report

The AWS credential report provides a great way to audit all of the AWS credentials used within your account. This report can be generated via the AWS CLI, SDK, or the AWS Management Console, whichever method you use you will be able to obtain a report that will show the credential details of all your users. This credential report can be downloaded once every 4 hours as a *.CSV file allowing you to review and filter the data.

Using this report, you will be able to see information on the following for each user:

The username
The Amazon Resource Name (ARN) of the user
When the user was first created

If a password is enabled for the user
When the password was last used
When the password was last changed
When the password is due to be rotated (based on the password policy settings)
If access keys are enabled
If multi-factor authentication is configured for the user
If the user has active access keys
When the access keys were last used
When the access keys were last rotated
The region in which the access keys were used
The service used in conjunction with the access keys
If the user has a 2nd set of access keys (to make key rotation easier)
When the 2nd set of access keys was last used
When the 2nd set of access keys was last rotated
The region in which the 2nd set of access keys was used
The service used in conjunction with the 2nd set of access keys
If the user has an X.509 signing certificate
When the signing certificate was last rotated
If the user has a 2nd X.509 signing certificate

As you can see, this is quite an extensive list of parameters regarding the user credentials accessing your AWS account. Using this data will help you formulate an appropriate policy and process to rotate your credentials on a regular basis.

Looking at the following small sample taken from a credential report we can identify some key changes that should be made immediately:

User 2, and User 3 have not had their passwords changed for years as seen in the ‘password_last_changed’ column! This is a massive risk to have such long-lived credentials.

User 5 should also have their password changed as it has been a number of months since the last credential rotation.

User 2 hasn’t logged into the AWS account for approximately 3 years, so this user should have their password credentials removed altogether.

User 3 is still an active user as we can see that the last login was in the past few days, indicated by ‘password_last_used’, however their password has not been changed for 7 years!

To resolve these issues with long-lived credentials being used, the password policy should be edited to ensure that a password expiration is enabled and configured to at least a monthly rotation by setting a 30-day expiration.

Users 1 and 4 in this scenario do not have access to the AWS Management Console, however, we should also check access keys access, so let’s take a look:

Here we can see that User 1 and User 4 do have programmatic access using access keys as seen by the ‘TRUE’ value under ‘access_key_1_active’. However, their credentials have not been rotated for a number of years, again this poses a high security risk.

User 2 does have access keys, however, it is inactive as seen by the ‘FALSE’ value, also, their access keys have NEVER been used. As a result, these access keys should be deactivated and deleted, and programmatic access removed for this user.

User 3 has active access keys, but again they have not been used for years, so again these should be deleted.

User 5 does not have any access keys associated.

Rotating access keys

Much like passwords, access keys for users should also be regularly changed to ensure that you are not using long-lived credentials that could be compromised. These can be changed via the AWS CLI or the AWS Management Console, and instructions on how to achieve this can be found here.

AWS recommends that you rotate your access keys at least once every 90 days, and you can use the AWS credential report to identify users that should be addressed. You can alternatively use the ‘Access key age’ column within the IAM users dashboard. This will show the number of days since the oldest active access key was created.

Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager

If you have hundreds or even thousands of users using programmatic access with access keys, then you’ll want to look at more of an automated approach to managing access key rotation. To understand how this can be achieved using AWS CloudFormation, Amazon CloudWatch Events, AWS Identity and Access Management, AWS Lambda, AWS Organizations, Amazon S3, Amazon SES, and AWS Secrets Manager take a look here.

Learn more about AWS Identity and access management

The AWS Identity and Access Management service, commonly known as IAM is one of the first AWS security services that you will come across when working with AWS. It’s the central service for administering user accounts allowing them to gain access to your AWS resources. From user creation, password policies, access policies, roles, groups, and more, understanding AWS IAM is essential if you are looking to enforce stringent security controls within your AWS accounts.
To get a solid understanding, and hands-on experience of all things to do with AWS IAM, take a look at our Learning Path: How to manage and secure your environment using AWS Identity & Access Management (IAM).

Upon completion, you will:

Understand what is meant by identity and access management and the difference between authentication, authorization, and access control
Learn the components of IAM as well as its reporting features
Learn the essentials of users within IAM
Understand how to create, manage, and configure users using security best practices
Learn how to manage multiple users with IAM User Groups
Gain a foundational understanding of IAM roles
Understand how to use AWS service roles to access AWS resources on your behalf
Learn how to use IAM user roles to grant temporary access to users
Understand how to use roles for federated access
Understand the different types of IAM policies you can expect to see when working within IAM
Learn how to implement policies effectively to build secure and robust access controls for your users
Learn how to read IAM policies to understand the permissions they are granting and restricting
Learn how policy evaluation logic operates
Understand the core principles of cross-account access using IAM

To learn more about our AWS learning paths and certifications or to schedule a demo

Why You Should Audit and Rotate Your AWS Credentials Periodically

AWS Credential Report

Rotating access keys

Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager

Learn more about AWS Identity and access management

New AWS re:Invent Announcements: Dr. Werner Vogels Keynote

New AWS re:Invent Announcements: AWS Partner Keynote with Dr Ruba Borno

New AWS re:Invent Announcements: Swami Sivasubramanian Keynote

AWS re:Invent 2023: New announcements – Adam Selipsky Keynote

New AWS re:Invent Announcements: Monday Night Live with Peter DeSantis

AWS re:Invent 2023: Guide to Everything You Need to Know

AWS Announces New Certified Data Engineer – Associate (DEA-C01) Certification

How to Get Your AWS Certification With Cloud Academy

AWS News and Releases: Keeping Your Team Current

What is Cloud Migration? Strategy, Processes, Benefits & Risks

Advantages and Disadvantages of Microservices Architecture

Disadvantages of Cloud Computing