Login
September 11, 2023Overview
Organizations of all sizes must protect their data, applications, and infrastructure from unauthorized access and potential breaches.
AWS provides a solution: AWS IAM access key rotation to mitigate the risks associated with static access keys. This blog post will explore how to automate AWS IAM access key rotation using AWS Secrets Manager and AWS Lambda.
AWS IAM Access Key Rotation
AWS IAM access keys consist of an access key ID and a secret access key, which are used to interact with AWS services programmatically. While they are a convenient way to access AWS resources, static access keys can pose significant security risks if not managed properly. Some of the key risks include:
- Unauthorized Access: If access keys fall into the wrong hands, attackers can gain unauthorized access to AWS resources, potentially compromising sensitive data.
- Credential Leaks: Static access keys can be inadvertently leaked, such as when they are hard-coded into source code or accidentally exposed in logs, putting your organization’s security at risk.
- Lack of Visibility: Without proper key management, tracking who uses access keys and their purpose can be challenging, making it harder to identify potential security breaches.
AWS IAM access key rotation addresses these concerns by regularly updating access keys, rendering any compromised or leaked keys useless, and reducing the potential for unauthorized access. Automation is key to ensuring that this crucial security practice is consistently applied.
AWS offers various ways to automate AWS IAM access key rotation, but in this blog post, we will focus on using AWS Secrets Manager and AWS Lambda to accomplish this task. AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources without upfront investment in custom solutions. On the other hand, AWS Lambda allows you to run code in response to events, making it ideal for automating tasks like access key rotation.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Steps to set up AWS IAM access key rotation using AWS Secrets Manager and AWS Lambda
- Create a AWS Lambda Function:
Create an AWS Lambda function in Python to handle the key rotation process. This function will retrieve the AWS IAM user’s current access key, create a new one, and update the user with the new access key.
- Create AWS IAM Policy:
A role with a minimal execution policy and access to Amazon CloudWatch to store the logs is automatically created when a lambda function is created. Add the below policy for secret manager access to the same role.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "iam:DeleteAccessKey", "secretsmanager:GetSecretValue", "iam:UpdateAccessKey", "secretsmanager:ListSecrets", "secretsmanager:UpdateSecret", "iam:CreateAccessKey", "iam:ListAccessKeys" ], "Resource": "*" } ] } |
- Configure AWS Secrets Manager:
In AWS Secrets Manager, create a new secret for each AWS IAM user whose access keys you want to rotate. Set the secret type to “Other type of secrets” and store the user’s name, the user’s current access key, and the secret access key as key-value pairs. Configure the rotation schedule for each secret. Specify the rotation function as your Lambda function created earlier. You can set the rotation frequency based on your organization’s security policies.
- Python code for AWS IAM access key rotation:
Add the following code to the AWS Lambda function you created and the environment variable for the secrets name you created in the AWS Secrets Manager. The following code will disable the existing access keys, generate a new access key, and store it in secrets created for each user.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
import json import boto3 import os iam = boto3.client('iam') secretsmanager = boto3.client('secretsmanager') def lambda_handler(event, context): vsecret = os.getenv('secrets') secret_list = vsecret.split(';') for secret in secret_list: get_secret = secretsmanager.get_secret_value(SecretId=secret) secret_details = json.loads(get_secret['SecretString']) print("For user - " + secret_details['UserName'] + ", Access & Secret keys will be inactivated.") # Extracting the key details from IAM key_response = iam.list_access_keys(UserName=secret_details['UserName']) # Existing Key Inactivation for key in key_response['AccessKeyMetadata']: if key['Status'] == 'Active': iam.update_access_key(AccessKeyId=key['AccessKeyId'], Status='Inactive',UserName=key['UserName']) print(key['AccessKeyId'] + " key of " + key['UserName'] + " has been inactivated.") # New Key Creation create_response = iam.create_access_key(UserName=secret_details['UserName']) print("A new set of keys has been created for user - " + secret_details['UserName']) # Updating the secret value NewSecret = '{"UserName":"' + create_response['AccessKey']['UserName'] + '", "AccessKeyId":"' + create_response['AccessKey']['AccessKeyId'] + '", "SecretAccessKey":"' + create_response['AccessKey']['SecretAccessKey'] + '"}' secretsmanager.update_secret(SecretId=secret,SecretString=NewSecret) print(secret + " secret has been updated with latest key details for " + secret_details['UserName'] + " user.") return "Key creation and secret update has completed successfully." |
- Testing and Monitoring:
Test the key rotation process to ensure it works as expected. Monitor Amazon CloudWatch logs and metrics to track the rotation’s success and troubleshoot any issues that may arise.
Conclusion
By implementing AWS IAM access key rotation with these services, you can reduce the risk associated with static access keys, improve operational efficiency, and maintain a strong security posture in your AWS environment. Review and update your key rotation policies to align with evolving security best practices and organizational requirements.
Drop a query if you have any questions regarding AWS IAM and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.
FAQs
1. Is there a cost associated with using AWS Secrets Manager and AWS Lambda for access key rotation?
ANS: – Yes, both AWS Secrets Manager and AWS Lambda incur costs based on usage. Reviewing the AWS pricing documentation to understand the cost structure and estimate expenses based on your organization’s needs is essential.
2. Is there any downtime during AWS IAM access key rotation?
ANS: – AWS IAM access key rotation typically does not cause downtime for users or applications. The process involves creating a new access key for the user and updating their AWS IAM user credentials while the old access key remains valid for a short period to ensure continuity.
WRITTEN BY Rohit Lovanshi
Rohit Lovanshi works as a Research Associate (Infra, Migration, and Security Team) at CloudThat. He is AWS Developer Associate certified. He has a positive attitude and works effectively in a team. He loves learning about new technology and trying out different approaches to problem-solving.
PREV
Comments