Remediation
Perform the following to rotate access keys:
From Consoleβ
- Go to Management Console.
- Click on
Users. - Click on
Security Credentials. - As an Administrator:
- Click on
Make Inactivefor keys that have not been rotated in90Days.
- Click on
- As an IAM User:
- Click on
Make InactiveorDeletefor keys which have not been rotated or used in90Days.
- Click on
- Click on
Create Access Key. - Update programmatic call with new Access Key credentials.
From Command Lineβ
- While the first access key is still active, create a second access key, which is active by default. Run the following command:
aws iam create-access-key
At this point, the user has two active access keys.
- Update all applications and tools to use the new access key.
- Determine whether the first access key is still in use by using this command:
aws iam get-access-key-last-used
- One approach is to wait several days and then check the old access key for any use before proceeding.
Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:
aws iam update-access-key
- Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.
- After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:
aws iam delete-access-key