Automating AWS Access Key Rotation

The Problem

Rotating AWS access keys for all users is a tedious, manual task that takes up valuable time of IT departments. This recurring task involves team members contacting every user and helping them rotate their key to access AWS services via their API. This may be done by sending them written instructions, or forcing the rotation and granting them new keys. 

As you can imagine, this task can become a never-ending nightmare for IT departments as the list of users gets longer over time and becomes increasingly prone to human error. 

The Solution

Our solution utilized a fully customizable AWS Amazon CloudWatch event triggered over a regular period of time, which calls an AWS Lambda function. This lambda function looks for its required configuration parameters, as saved in AWS System Manager. From here,  it checks over all the AWS IAM users marked for this process.

Each marked user gets an “access key” that’s age-compared to the configured parameter. If the age (in days) of the access key is older than the parameter, the access key will be rotated.

When a new key is created, its value is saved in the AWS Secret supplied to the user. The user receives a notification indicating a key has been rotated and the older key is disabled, as well as instructions on how to retrieve the newly created one.

The Results

The main benefit of this process is clear: security. For instance, even if the access key is leaked, it will only be effective and usable for breaching the environment until the next rotation occurs. The recommended frequency is 90 days, but the more frequently you perform rotation, the lower your exposure will be.

Ultimately, AWS access key rotation is a best practice control for companies looking to comply with CIS Benchmarks. ⁽¹⁾

Besides the security benefits, automating the process of key rotation helps:

• Perform the rotation more frequently
• Be confident the rotation has taken place, since automation is more reliable than a person charged with doing it manually
• Minimize the exposure of humans to the credentials in plaintext (as long as you make sure the workload doesn’t do anything careless, such as logging credentials)

---

Technology stack:

Our solution takes advantage of a serverless implementation based on the following services:

• Amazon EventBridge
• AWS Lambda ⁽²⁾
• AWS Systems Manager – Parameter Store
• Amazon Simple Notification Service (SNS)
• AWS Identity and Access Management (IAM)
• AWS Secrets Manager

References:

(1) – CIS AWS Foundations Benchmark v1.2.0

(2) – Python code for the lambda function

‍