Member-only story
Featured
Alternatives to Long-lived Credentials in AWS IAM: How to Stop Using AWS Access Key and Secret Access Key
Introduction
One security vulnerability I have consistently encountered in my AWS Career is accounts created with long-lived credentials. Whether it is an IAM User that was created and never used, or an IAM user with an Access Key and Secret Key not rotated for over 600 days, and the key is either still in use or was never used. This poses a huge security risk to the AWS account.
According to the Security Pillar of the AWS Well-Architected Framework; SEC02-BP05; one of the implementation guides in that regulation talks about the regular audit of credentials, rotation of IAM credentials, and using IAM Roles. This article will address various ways of using non-long-lived credentials in AWS.
What are Long-Lived Credentials?
According to ChatGPT:
Long-lived credentials refer to authentication tokens or keys that have extended validity periods. They enable users or systems to access resources without needing frequent re-authentication. These credentials can include API keys, OAuth tokens, session cookies, or any other access token that remains valid for a long duration, typically ranging from several hours to several days or even longer.
