Rotating IAM Access Keys with Lambda

3 min readMay 22, 2018

TL;DR I wrote a Lambda function that revokes user access keys periodically to enforce rotation and mitigate risk. You can easily deploy this solution with Terraform or Serverless.

The useful but risky IAM Access Keys

Having the AWS CLI tool at hand is a great help in dealing with day to day tasks, however a static access key can stay on a developer’s machine permanently and will pose risk in the long run.

A key might be used for testing out different tools, used in temporary processes. These can stay active indefinitely in AWS, without any re-identification. The scenario is similar to having a website where the admin can stay logged in forever because the cookie never expires.

Access key ages reported on IAM dashboard

Usually these keys are copied manually and they can be left on the clipboard, in an IDE config file, in a .txt note, or elsewhere.
The classic example is accidentally committing the key to a public repository as part of some code. Doesn’t matter how secure your process is, you need to take the human factor in the equation. There are many bots scanning for sensitive data of the like from public Github repositories constantly.

Rotate your keys

Because of their nature, Access Keys should be rotated at least as often as passwords, ideally as often as work sessions.

Along with following IAM best practices I found that it’s a great way to enforce rotation simply by deleting the user keys periodically.
Please note these are keys of human users eg. developers manually accessing the AWS API. System keys should be rotated more carefully to avoid problems.

So let’s automate this with a simple setup:

1, Lambda function:
- Collects users of certain IAM groups, eg. Developers, Administrators
- Scans each user for existing IAM Access keys
- Deletes the keys

2, Scheduled CloudWatch trigger
- Triggers the Lambda to run, let’s say every Friday evening

If the users have access to the AWS Console, this will enforce them to log in using their MFA. This creates a good habit of logging in on a secure channel and reminds about the sensitive nature of these keys.

On Monday mornings the developers will generate a fresh key pair, which only takes a minute. If an access key gets forgotten about somewhere it will only pose risk for a maximum of 5 days or less depending on your schedule.

Deploying the solution

The code can be found here: https://github.com/dvdtoth/rotate-iam-keys

You have two tools to choose from: Terraform or Serverless.

You will need to set two variables, the name of the IAM groups and the schedule. By default the trigger is set to run every Friday at 23:55.

For the schedule expression check this page: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html

Terraform

Update variables in production.tfvars, then run:

zip revoke_keys.zip handler.js
terraform init
terraform apply -var-file="production.tfvars"

To remove:

terraform destroy -var-file="production.tfvars"

Serverless

Update GROUPS envirnment variable and the schedule in serverless.yml, then execute:

serverless deploy --aws-profile yourprofile