AWS, Cloud Computing

4 Mins Read

Simplifying AWS IAM Access Key Rotation with AWS Secrets Manager and AWS Lambda Function


Organizations of all sizes must protect their data, applications, and infrastructure from unauthorized access and potential breaches.

One essential security aspect is properly managing AWS Identity and Access Management (IAM) credentials, particularly access keys. Access keys are used to authenticate and authorize AWS services and users, making them a prime target for malicious actors.

AWS provides a solution: AWS IAM access key rotation to mitigate the risks associated with static access keys. This blog post will explore how to automate AWS IAM access key rotation using AWS Secrets Manager and AWS Lambda.

AWS IAM Access Key Rotation

AWS IAM access keys consist of an access key ID and a secret access key, which are used to interact with AWS services programmatically. While they are a convenient way to access AWS resources, static access keys can pose significant security risks if not managed properly. Some of the key risks include:

  • Unauthorized Access: If access keys fall into the wrong hands, attackers can gain unauthorized access to AWS resources, potentially compromising sensitive data.
  • Credential Leaks: Static access keys can be inadvertently leaked, such as when they are hard-coded into source code or accidentally exposed in logs, putting your organization’s security at risk.
  • Lack of Visibility: Without proper key management, tracking who uses access keys and their purpose can be challenging, making it harder to identify potential security breaches.

AWS IAM access key rotation addresses these concerns by regularly updating access keys, rendering any compromised or leaked keys useless, and reducing the potential for unauthorized access. Automation is key to ensuring that this crucial security practice is consistently applied.

AWS offers various ways to automate AWS IAM access key rotation, but in this blog post, we will focus on using AWS Secrets Manager and AWS Lambda to accomplish this task. AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources without upfront investment in custom solutions. On the other hand, AWS Lambda allows you to run code in response to events, making it ideal for automating tasks like access key rotation.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Steps to set up AWS IAM access key rotation using AWS Secrets Manager and AWS Lambda

  1. Create a AWS Lambda Function:

Create an AWS Lambda function in Python to handle the key rotation process. This function will retrieve the AWS IAM user’s current access key, create a new one, and update the user with the new access key.

  1. Create AWS IAM Policy:

A role with a minimal execution policy and access to Amazon CloudWatch to store the logs is automatically created when a lambda function is created. Add the below policy for secret manager access to the same role.

  1. Configure AWS Secrets Manager:

In AWS Secrets Manager, create a new secret for each AWS IAM user whose access keys you want to rotate. Set the secret type to “Other type of secrets” and store the user’s name, the user’s current access key, and the secret access key as key-value pairs. Configure the rotation schedule for each secret. Specify the rotation function as your Lambda function created earlier. You can set the rotation frequency based on your organization’s security policies.


  1. Python code for AWS IAM access key rotation:

Add the following code to the AWS Lambda function you created and the environment variable for the secrets name you created in the AWS Secrets Manager. The following code will disable the existing access keys, generate a new access key, and store it in secrets created for each user.


  1. Testing and Monitoring:

Test the key rotation process to ensure it works as expected. Monitor Amazon CloudWatch logs and metrics to track the rotation’s success and troubleshoot any issues that may arise.


By implementing AWS IAM access key rotation with these services, you can reduce the risk associated with static access keys, improve operational efficiency, and maintain a strong security posture in your AWS environment. Review and update your key rotation policies to align with evolving security best practices and organizational requirements.

Drop a query if you have any questions regarding AWS IAM and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. Is there a cost associated with using AWS Secrets Manager and AWS Lambda for access key rotation?

ANS: – Yes, both AWS Secrets Manager and AWS Lambda incur costs based on usage. Reviewing the AWS pricing documentation to understand the cost structure and estimate expenses based on your organization’s needs is essential.

2. Is there any downtime during AWS IAM access key rotation?

ANS: – AWS IAM access key rotation typically does not cause downtime for users or applications. The process involves creating a new access key for the user and updating their AWS IAM user credentials while the old access key remains valid for a short period to ensure continuity.

WRITTEN BY Rohit Lovanshi

Rohit Lovanshi works as a Research Associate (Infra, Migration, and Security Team) at CloudThat. He is AWS Developer Associate certified. He has a positive attitude and works effectively in a team. He loves learning about new technology and trying out different approaches to problem-solving.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!