Rotating AWS IAM Keys — Finally Made Easy and Automated
AWS Access Key security is hard. So I fixed it. Here’s how.
If you’ve ever worked with AWS, you know how difficult it is to create a credential rotation program. AWS will tell you it’s best practice to rotate keys “on a regular schedule.” And then the AWS Security Team wrote up a long blog post about how to rotate your keys. Other cloud compliance vendors will tell you to rotate keys every 90 days. And of course the process isn’t hard, meaning there are a million scripts floating around.
But what’s missing from all of this is automatic and easy rotation set up from installation. Sure, anyone can set up a cron job. But it’s just much easier if the program just does it for you. No one ever complained about security being made easy!
Today, I am introducing AWS Rotate IAM Keys, an open source script that is easy to install and just works. Install it on Ubuntu, other Linux distros, MacOS and even Windows. Just send your entire development team a single link and your AWS environment is more secure within 24 hours.
Let’s dig into why this tool is useful and why I opted for a client-based tool rather than using a Lambda or centralized function.
So Why Not Lambda?
Early on, I leaned heavily towards a Lambda solution. After all, using a Lambda just seems better since you can rotate all keys yourself and you don’t need to rely on users. It’s a great solution for a single company to implement. But think about that at scale. That means that every DevOps engineer needs to deploy this code in their own environment. It’s not an industry-wide scalable solution. Plus, there is a major security risk. Once you rotate the keys, how do you tell the user you rotated their keys? Sure, a domain controller can set environment variables, but not many small companies have a domain controller these days. Email works, until you consider that email is highly insecure. And what user wants to get the same email every day and take the same action every day? You could message them via Slack, but then you’re writing a custom Slack integration as well. And you’ve got private keys in a 3rd party platform and message history. Plus, the user still needs to update their credentials file. Not good.
A Lambda function leaves too many un-answered questions about implementation to make it feasible — and easy.
I determined that the only secure, easy, and automated solution was to use a script on the client machine. Putting responsibility on a developer to install a script is an acceptable request. This meant that the script had to just work and have a very easy, 15 second installation process.
Enter OS-specific package managers.
Installation Is Easy and Platform Specific
To date, I have not found a solution to rotate AWS IAM keys that supports all major operating systems via a native package manager. So I wrote one.
Ubuntu uses the commonly accepted PPA format. Other Linux distros have a signed .deb file they can download and install. MacOS supports Homebrew installation. And Windows uses PowerShell scripts that auto install. Super simple to get your developers using best security practices.
Mass Security — and Other Features
In my day job, I use many different AWS profiles. Some of them overlap in security keys due to assuming roles in various Terraform planning scripts. However, I also touch multiple AWS bastion accounts daily. More than assuming role into an account to manage it, I am also jumping between base accounts. This means my credentials file is a mess to manage manually. So I automated it.
AWS Rotate IAM Keys can rotate keys for multiple profiles, but it can also replace multiple profiles with the same keys. For instance, to replace your default and development profiles with the same keys, just use:
$ aws-rotate-iam-keys --profile default,development
Or to rotate two separate profiles with different keys, use:
$ aws-rotate-iam-keys --profile default
$ aws-rotate-iam-keys --profile production
This is easy to add to a crontab. But wait, what if we just added it to the crontab for you? Unfortunately, this nifty feature is only available in Linux distributions, but I wrote instructions for other platforms.
By default, Linux installations get a crontab entry to rotate their key sometime in the 2 am hour nightly. This rotates the
default profile by default, but can easily be extended to rotate more profiles. My own crontab rotates 10 keys nightly, automatically for me.
15 2 * * * /usr/bin/aws-rotate-iam-keys --profile default
If you’re reading this, you should install the script. It’s open source, easy to use, and will immediately increase security across all your AWS accounts without any downtime or inconvenience.
If you manage a team, require that your developers install this script. It is easy to install and reduces your attack footprint.
I am happy to review well formatted PRs and solve issues in the GitHub repo for this project.
October is National Cybersecurity Awareness Month! Join with cybersecurity champions, like AirSwap, and the Department of Homeland Security to keep cyberspace safe. This post is a part of the “It’s Everyone’s Job to Ensure Online Safety at Work” themed week for October 15–19.