Improve your security and enforce AWS Access Key rotation for IAM Users

Posted on by Ryan

Best practices state to not use AWS Access Keys as they provide long term access and instead you should utilize IAM roles. but unfortunately there are times that require utilizing Access Keys and granting users with pragmmatic access.  The problem is that AWS doesn’t offer a solution to enforce rotating Access Keys, and such can become difficult to manage.  To solve this issue, I’ve created a Lambda which will notify users via SES of upcoming key expiration and expire any keys that are older than a previously determined number of days.

One very important distinction to make is that we only want this to apply to user access keys.  Often there are service accounts that utilize Access Keys as well, and these will be handled manually as expiring these keys could potentially break functionality of the underlying application.

The approach I took to handle differentiating Users vs Service accounts was to create an IAM group to assign the users to.  The lambda then queries this group and will only modify access keys for members of the group.  The members of the group are granted access to create and delete their own access keys, but they can not modify the status of any existing keys.  This prevents them from extending the utilization of the key past the expiration period.

The IAM group has the following policy assigned to it, which grants the users to manage their own access keys and passwords.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:CreateAccessKey",
        "iam:DeleteAccessKey",
        "iam:GetAccessKeyLastUsed",
        "iam:ListAccessKeys",
        "iam:*LoginProfile"
      ],
      "Resource": "arn:aws:iam::123456789:user/${aws:username}",
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:ListAccount*",
        "iam:GetAccountSummary",
        "iam:GetAccountPasswordPolicy",
        "iam:ListUsers"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

The Lambda will notify users within 7 days before expiration daily via an email using AWS SES. This process relies on the AWS usernames to match the email alias of the user.

Once the key has reached the expiration time, the Lambda will then update the key status to InActive. It will not delete the key, since this is an irreversible operation. Setting the key status to InActive allows an administrator to override the status of the key and assist in any troubleshooting issues that may arise.  The user themselves are limited to creating and deleting their own keys, but can not set the status to Active, which will prevent the user from continuing to use the key beyond its expiration date.

The code for the Lambda can be found in my GitHub repo, Lambda-IAM-key-rotation

 

2 thoughts on “Improve your security and enforce AWS Access Key rotation for IAM Users

    • The process relies on the user names to match their email address. The policy shown needs to be updated with your AWS account ID.

      I did not provide information on the Lambda Role, which will need access to some AWS resources like, IAM and SES.

      Ryan

      Reply

Leave a Reply

Your email address will not be published.