Updating AWS access keys using awscli
It’s a security best practice to change AWS access and secret keys on a regular basis. It shortens the period an access key is active and therefore reduces the business impact if they are compromised.
Prerequisites -
- aws-cli should be installed
Though it’s a prerequisite for my article but let me quickly cover this part again here. I will be installing aws-cli on CentOS 7.
Download the aws-cli installer -
[root@kmaster-rj ~]# curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"Unzip the file downloaded -
[root@kmaster-rj ~]# unzip awscli-bundle.zipInstall it -
[root@kmaster-rj ~]# sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/awsVerify the aws-cli version -
[root@kmaster-rj ~]# aws --versionaws-cli/1.18.188 Python/2.7.5 Linux/3.10.0-1127.el7.x86_64 botocore/1.19.28
Steps to rotate AWS access keys
Step 1 — configure AWS profile
Enter the access key and secret key for the user when prompted; keep the default for the region and output format.
Command:
aws configure --profile <your-local-profile-name>For example -
[root@kmaster-rj ~]# aws configure --profile rakeshrhcss_user_config
AWS Access Key ID [None]: XXABXXXXXXXXXXCD
AWS Secret Access Key [None]: XXXCCCXXXXXXXXXXXXXDDD
Default region name [None]:
Default output format [None]:Step 2 — List existing keys
Command:
aws iam list-access-keys --user-name <your-iam-user-name> --profile <your-local-profile-name>Example:
[root@kmaster-rj ~]# aws iam list-access-keys --user-name service_account@rakeshrhcss_user --profile rakeshrhcss_user_config
{
"AccessKeyMetadata": [
{
"UserName": "service_account@rakeshrhcss_user",
"Status": "Active",
"CreateDate": "2020-09-02T00:59:16Z",
"AccessKeyId": "XXABXXXXXXXXXXCD"
}
]
}Step3 - Create a new access key
Command:
aws iam create-access-key --user-name <your-iam-user-name> --profile <your-local-profile-name>Example:
[root@kmaster-rj ~]# aws iam create-access-key --user-name service_account@rakeshrhcss_user --profile rakeshrhcss_user_config
{
"AccessKey": {
"UserName": "service_account@rakeshrhcss_user",
"Status": "Active",
"CreateDate": "2020-12-03T13:58:01Z",
"SecretAccessKey": "0XXXCCCCHGDGFSKJSegh7LKHHHH",
"AccessKeyId": "AAACHJDKHKKKKDDDD"
}
}Step 4 — List the access keys again
You should now see TWO access keys listed for your user.
Command:
aws iam list-access-keys —- user-name <your-iam-user-name> —- profile <your-local-profile-name>Example:
[root@kmaster-rj ~]# aws iam list-access-keys --user-name service_account@rakeshrhcss_user --profile rakeshrhcss_user_config
{
"AccessKeyMetadata": [
{
"UserName": "service_account@rakeshrhcss_user",
"Status": "Active",
"CreateDate": "2020-09-02T00:59:16Z",
"AccessKeyId": "XXABXXXXXXXXXXCD"
},
{
"UserName": "service_account@rakeshrhcss_user",
"Status": "Active",
"CreateDate": "2020-12-03T13:58:01Z",
"AccessKeyId": "AAACHJDKHKKKKDDDD"
}
]
}Step 5 — Set previous access key as inactive
Command:
aws iam update-access-key —-access-key-id <old-access-key> —-status Inactive —-user-name <your-iam-user-name> —-profile <your-local-profile-name>Example:
[root@kmaster-rj ~]# aws iam update-access-key --access-key-id XXABXXXXXXXXXXCD --status Inactive --user-name service_account@rakeshrhcss_user --profile rakeshrhcss_user_configStep 6 — Configure AWS profile again with new keys
[root@kmaster-rj ~]# aws configure --profile rakeshrhcss_user_config
AWS Access Key ID [****************XXCD]: AAACHJDKHKKKKDDDD
AWS Secret Access Key [****************XDDD]: 0XXXCCCCHGDGFSKJSegh7LKHHHH
Default region name [None]:
Default output format [None]:Step 7— Delete the old access key
Command:
aws iam delete-access-key --access-key-id <old-access-key> --user-name <your-iam-user-name> --profile <your-local-profile-name>Example -
[root@kmaster-rj ~]# aws iam delete-access-key --access-key-id XXABXXXXXXXXXXCD --user-name service_account@rakeshrhcss_user --profile rakeshrhcss_user_configConclusion:
Use IAM roles If you’re using EC2 instances in order to automatically rotate access keys. If you are not using EC2, you should manually rotating keys on a periodic basis as a security best practice.
That’s all!
Hope you like the article. Please let me know your feedback in response section.
