Cloud adoption is going on everywhere. One of the first things users learn when onboarding into their shiny new AWS cloud account is access controls! To consume cloud with AWS cli, access keys based authentication is a very popular method. We can think of the secret key as a username and the Access key ID as a password. Access keys are used to sign programmatic requests made to AWS by AWS SDKs, REST, or Query API operations. While it’s very convenient to set up, anyone with the Secret Key and Access Key ID pair could gain access to the AWS account, including the billing information. Thus, as a matter of security, credentials should be regularly rotated the same way we regularly rotate passwords for other accounts.
Why should Access Keys be rotated?
Anyone with unauthorized access to IAM access keys can gain access to any AWS resource just like the account owner would, so inadvertent access using those credentials could pose a high-security risk to the business in many ways. In a recent case, researchers identified a major security risk where 1,859 apps across Android and iOS contained hard-coded Amazon Web Services (AWS) credentials. In another case, over 3200 apps leaked Twitter’s API keys. Such instances call for immediate action as they violate security principles.
For our AWS accounts, it is important to find and disable any publicly exposed IAM credentials. For example, a novice user in an organization could publish their IAM access key pair to a public repository such as GitHub and invite a possible security catastrophe. Unauthorized activity or misuse can result in excessive charges and violate the AWS Customer Agreement.
As suggested by the AWS Security Best Practices, the access keys should be rotated periodically after a recommended 90 days period. This is crucial as it shortens the period for which an access key is active and therefore reduces the business impact if they are compromised.
Ensuring that all the IAM user access keys are rotated every quarter alleviates the likelihood of accidental exposures and protects the AWS resources against unauthorized access in situations like- an employee leaving an organization or accidental exposure of keys in database stores.
Additionally, this practice is in accordance with the following compliance standards- HIPAA, APRA, MAS, NIST4.
How to Rotate Access Keys?
Here are 4 steps that can be used to rotate AWS Acess Keys-
- Create a second access key in addition to the one in use-
aws iam create-access-key — user-name <user name>
2. Change the old key’s status to inactive-
aws iam update-access-key — access-key-id <id> — status Inactive
3. Check if the old key’s status was changed to inactive-
aws iam list-access-keys — user-name <user name>
4. Validate that the new access key is working and then delete the old key-
aws iam delete-access-key — access-key-id <id>
Automating AWS Access Key Rotation with unSkript
Although security breaches caused by misused Access Keys may be inevitable, they are definitely preventable and curable if quick action is taken.
As your organization scales and the number of users accessing your AWS account resources grow, it may become difficult to manually do this process or even convince your employees to carry this out within a defined period.
unSkript provides an open-source runbook to perform Access Key rotation and standardize this automation as a part of your organization’s security practices.
You can try it out on our open-source Awesome-CloudOps-Automation repository on Github.