Keys may need to be changed for any of a host of reasons, this page will offer a general guide for when, why, and how to rotate IAM keys.
Causes:
Currently we do not engage in regular key rotation. AWS recommends keys be rotated every 90 days but that is not needed given our small and stable environment. Keys may need to be rotated for a few reasons
...
Normally only the vulnerable keys (i.e. keys that the person could access) need to be rotated, but Amazon has an internal policy requiring all keys be rotated if one of them is compromised. In public leaks this is required, in other cases use best judgement if that should be followed.
Risk Assessment:
When a key is placed at risk, the first step is to determine the affected resources and risk it poses. While this cannot be broken down into a simple flow chart, a few key steps will help cover most of the issues.
- Log onto AWS and go to the IAM (Identity Access Management) section
- Select the Users section
- Search by Access Key or Username to find the affected Key(s)
- Assess the likelihood that the leaked keys can be gained by a malicious actor.
- In the Permissions Tab, look at what policies or groups are attached.
- Read each permission to assess what types of access the key has
- Full Admin access or IAM edit access are instant red flags, these can elevate themselves.
- Access to production is another red flag.
- Access to broadly edit a class of resources (S3, EC2) is another serious risk.
- Read each permission to assess what types of access the key has
- Using a combination of 4 and 5, make an estimate of the danger.
- Work out with other technical team members and stakeholders if this is worth downtime in affected resources.
Rotation:
Currently (7/17/19) a shared list of keys and all use locations is not on the wiki though one will soon be added. We should also add data in the keys themselves to help track use location.
...