1

We have IAM user(programmatic access only) with access key age more than 4 years. S3 and SQS are the only services actively being used by this user. We want to rotate the access key by creating a new user/policy.

I created a new user added it to the groups the old user is in and given the same policies. I can see last-activity as "None" which means services are not using this user. I also created a new access key for first user and last activity is none for that. Can some help me what I've to do let all the applications use this new access key instead of old one, so that I can delete it.

Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "aws-portal:*",
        "iam:*"
      ],
      "Resource": "*"
    }
  ]
}
Aress Support
  • 1,103
  • 3
  • 11
rumblefish
  • 21
  • 1

1 Answers1

0

It is recommended by AWS that the access keys must be rotated regularly. Although, if you want to rotate the access keys now there is no need of creating a new IAM user.

You can rotate the existing Access Keys in the following manner as shown in the link below :

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey

There isn't any way that you can give the existing Access keys to the new user. The keys are generated automatically at the last step of new user creation.

Also, it is necessary to update the applications that are using the Access keys but in your case you are using EC2, ELB, S3, SES which by default will accept the new Access keys when accessed via CLI.

Aress Support
  • 1,103
  • 3
  • 11
  • I have already gone through this link. My question is how to Update all applications and tools to use the new access key. (2nd step) – rumblefish Apr 04 '19 at 18:35
  • 2
    What all applications you are using which are currently using your old Access keys? Generally, use of an access key is when you make a call to the AWS API or when you drive AWS through the AWS Command Line Interface (CLI) or the AWS Tools for Windows PowerShell. – Aress Support Apr 04 '19 at 18:48
  • EC2, ELB, S3, SES – rumblefish Apr 04 '19 at 19:08
  • 1
    AWS services will automatically accept either of the credentials associate with an IAM User (two can be active at once, to make transition easier). – John Rotenstein Apr 04 '19 at 20:35
  • Agreed - @JohnRotenstein – Aress Support Apr 05 '19 at 13:25