How to Automatically Rotate AWS IAM Access Keys

AWS provides a template solution that you can easily deploy to automatically rotate your IAM Access Keys across all the accounts in your Organization. This post walks through that solution, which is located here:

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html

The authors of the docs supplied the following architecture:

Architecture for Automatic Access Key Rotation from the AWS docs

That architecture is saying,

1. A CloudWatch event will trigger the process, once every 24 hours..

2. The first Lambda function will query your Organization for its members.

3. That information is sent to the third Lambda functino.

4. For each of those members, the second Lambda function will inspect every access keys and its creation date.

5. Whenever it finds access keys less than 90 days old, it does nothing.

6. If it notices an access key created over 90 days ago, it creates a new access key and stores it as a secret in the Secrets Manager. Moreover, it attaches a resource policy to the secret, to ensure only the user can use the credentials data.

7. It also attaches an IAM policy to the user, so the user can access the secret.

8. After it has done all that, it sends notifies the third Lambda function.

9. The final Lambda function takes the email template from S3, and sends an email via SES to the email of the account whose key had just been updated.

Part I

0. To complete Part I, you must use a management account of the Organization, or a delegated administrator account.

1. Create or select an S3 bucket (this post assumes your account owns an S3 bucket). Make sure the account has access to this bucket,

2. In your S3 bucket, create a folder named asa/ and, within that folder, create another folder named asa-iam-rotation/ .

3. Go to this GitHub page: https://github.com/aws-samples/aws-iam-access-key-auto-rotation
Clone the repo. Or, alternatively, click on Code, and choose Download Zip.

4. Navigate to your S3 console, go inside your asa-iam-rotation folder.

5. Drag and drop these three folders from the zip package you downloaded in step 3: CloudFormation/, Lambda/, and template/ .

The folder structure in S3

6. Still in your S3 bucket, navigate to the file ASA-iam-key-auto-rotation-iam-assumed-roles.yaml that you uploaded in the previous step. Find the Object URL, and make note of it.

7. Go to the CloudFormation console: https://console.aws.amazon.com/CloudFormation

8. Now on the CloudFormation console, on the left-hand pane, click on StackSets. Then, click on the Create StackSet button.

9. Choose the following:
• Permissions: Service-managed permissions
• Prepare template: Template is ready
• Template source: Amazon S3 URL

10. Paste the Object URL (from step 6) in the Amazon S3 URL section.

11. Enter your primary AWS Account ID, and your AWS Organization ID. You can leave the rest — Assumed IAM Role Name, IAM Execution Role Name, and IAM Exemption Group — as default.

12. Next, under ‘Deployment targets,’ you can choose whether you want to deploy to your entire organization ( Deploy to organization ) or just to a unit ( Deploy to organizational units (OUs) ). I’ll proceed with deploying to the entire organization.

13. You can leave ‘Auto-deployment options’ and ‘Deployment options’ as default.

14. Specify just one region or you might get an error. (The error is due to the global scope of IAM.)

15. Click the Next Buttton, review, and click the Submit button.

Part 2

1. For this part, you want to make sure you are operating inside the account that you set as the Primary Account in step 11 of Part I.

2. This part uploads the second CloudFormation template:
ASA-iam-key-auto-rotation-and-notifier-solution.yaml
You need the Object URL from the S3 object page for that file.

3. The steps are similar, except that you want Stacks instead of StackSets. Navigate to Stacks and choose the Create stack button (‘With new resources’).

4. Paste the Object URL in the Amazon S3 URL section.

5. Name the Stack.

6. Enter the S3 bucket name: the bucket of step 2 in Part I.

7. Enter the CloudFormation S3 bucket prefix from step 2 of Part I. (If you use this guide’s, the prefix should be asa/asa-iam-rotation .)

8. You can leave the Assumed IAM Role Name, IAM Execution Role Name, and the IAM Exemption Group as default.

9. You can set the Dry Run Flag as True or False. If you set it as true, the rotation will be simulated without the keys actually rotating. With the flag false, if you test the solution manually, the access keys will be rotated.

10. Give the Admin Email Address, the address of the ‘sent from’ for the email.

11. Everything else you can set as default. Then, click Next.

14. Then, choose the Next button and review. Click Submit once you’re satisfied.

That’s it!

Manual Testing of the Automation

If you want to test the solution without waiting for the trigger event, follow these steps:

1. Go to the Lambda console: https://console.aws.amazon.com/lambda

2. On the left-hand panel, choose “Functions”.

3. Select the ASA-Account-Inventory that you created in the previous sections.

4. Under the “Test” tab, “Create new event”; you can name it anything.

5. Under “Event JSON”, type the following:

{
    "ForceRotate": "<insert username here>"
}

6. Click the Test button; you should see a success message. Whether you see the access keys actually rotated depends on your Dry Run Flag parameter from step 9 in part II.



Leave a Comment