Kata 3: Review IAM password and access key credentials

This kata shows how to review your AWS IAM credentials. You will learn how to determine which credentials are in use and which need rotation.

You can reduce the impact compromised credentials have on a system by rotating credentials frequently. IAM user password expiration policies can enforce rotation policies in AWS, but access keys cannot automatically be expired.

Open the latest k9 resource access audit spreadsheet from the S3 bucket containing your reports (kata 0).

Go to the Principals worksheet and enable filtering for all the columns.

k9 Principals report focused on long-lived IAM credentials

The Principal Last Used column contains time of the most recent credential use event:

  • Password Last Used
  • Access Key 1 Last Used
  • Access Key 2 Last Used

Each of these credentials has a corresponding Last Rotated and State column. The State column indicates whether the credential is Active, Inactive, or not provisioned (blank).

Identify Long-Lived IAM Passwords

IAM user passwords authenticate access to the AWS web console. Identify long-lived IAM passwords by sorting the Password Last Rotated column (descending):

IAM users sorted by last password rotation

The top entries represent the oldest passwords in the AWS account. AWS password policy can be configured to expire passwords after a specified number of days. The State column reports whether the user’s password is active or not.

Identify IAM Access Keys to Rotate

Suppose your organization requires API access keys to be rotated every 90 days. Unfortunately, AWS access keys cannot be expired via policy.  You can show the list of keys that should be rotated by filtering Access Key 1 Last Rotated by a condition like ‘Date is before exact date: today()-90’:

That filter produces:

API Access Keys Older than 90 days

The State column indicates whether an access key is active, inactive, or not provisioned (blank).

Repeat this process for Access Key 2 Last Rotated to identify more keys in need of rotation.

In the example above, the s3wipe user has a single inactive access key which is in need of rotation.

Establish a process for rotating access keys before deactivating or deleting them.  Applications generally require a configuration update and deployment to adopt new credentials.  A common key rotation process is to:

  1. Provision a new key
  2. Configure & deploy the application with the updated key
  3. Deactivate the old key
  4. After 24 hours of successful operation, delete the old key

Review Questions

Ask these questions during your review:

Q. Are passwords being rotated less frequently than expected?

Review the password rotation policy for the AWS account.

Q. Does this principal need two access keys?

A redundant credential needs to be secured just the same as a primary credential. Generally applications only need a second active credential during the rotation process.

Q. Should credentials that haven’t been used since rotation be revoked?

If a principal isn’t actively using a credential, then they may not need access via Console, API, or at all.


Once you have completed this kata, you should be able to review AWS IAM credentials and identify:

  • All long-lived IAM credentials in an account
  • Which credentials are being used
  • AWS API Access Keys that should be rotated

Contact k9 Support ([email protected]) if you have questions, feedback, or would like assistance.