What “Rotating†IAM Access Keys really means in AWS…
Looking for that “Rotate Access Key†button in your IAM console? You won’t see it anywhere because technically, that button does not exist at all!
Rotating an IAM access key simply means that you have to delete the access key of an IAM user and then create another access key. You will then use this new access key to replace the old access key that you are using on your AWS CLI, AWS SDK or from anywhere.
Just keep in mind that you should also update all of the applications that are using your access keys. Failure to do so will result in the failures of your apps. For example, if you delete your access keys which are currently being used on your AWS CLI, then you will experience a “The AWS Access Key Id you provided does not exist in our records†error, just as shown below:
If your application is using S3 pre-signed URLs, then your clients might encounter this error even if the expiry date is still valid.
Basically, a presigned S3 URL has an AWSAccessKeyId field which is mapped to the access key of an IAM user. “Rotating†your access keys means that you will delete your existing access key and creating a new one. This means that if you delete your current access key in IAM, then your existing S3 presigned URL will not work anymore, even if it has a valid expiration date.
You can try it out yourself. Say you have a bucket named sinigang-adobo-tinapa which contains an object with an aws.png filename. In your AWS CLI configuration, it is mapped to an access key with an ID: AKIA4IDWICISSCVRHLPSWA. You can generate a presigned URL using your AWS CLI using this command:
aws s3 presign s3://sinigang-adobo-tinapa/aws.png
This will return a presigned URL with this format:
If your access key is still available, then the generated presigned URL will allow anyone to view or download the aws.png object from your browser. However, the presigned URL will not work any longer the moment you deleted your access keys in IAM. You will get the following error:
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
Enterprise Solutions Architect II at Amazon Web Services (AWS) ? 14x AWS Certified ?? ? Security+ ?? & Linux+ ?? ? Terraform ? Certified in Cybersecurity ?? ? ISC2 Active Member ?? ? AWS Golden Jacket Recipient ??
5 年On a related note, AWS strongly recommends not using the root account to use AWS services, but creating a user in the root account and using the new user’s account to operate on the services. It’s best practice to delete or disable the access keys in the root account.
Leader | AWS Certified Professional Cloud Solution Architect | Cybersecurity Specialist | Certified Multi Cloud Architect | Oracle Certified Generative AI Professional
5 å¹´Lol
Founding Partner @ West Loop Strategy | Cloud and AI & Analytics Services Partner to AWS
5 å¹´Mark Singley
Technical Writer II
5 å¹´Thanks for the info pre!