Access key rotation

AWS-IAM-003 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if active access keys are older than 90 days.

Why it matters

Long-lived access keys increase the window of opportunity for attackers if credentials are leaked. GitGuardian reported finding over 12.8 million hardcoded secrets in public GitHub repositories in 2023, with AWS keys being one of the most common types. The longer a key lives, the more likely it appears in old code commits, CI/CD logs, or developer machines. Regular rotation to 90 days or less limits the exposure window - even if a key leaks, it becomes invalid quickly. Consider migrating to IAM Identity Center (SSO) or OIDC federation to eliminate long-lived keys entirely, as temporary credentials expire automatically.

Common causes

Access keys become stale when they are embedded in application configs, CI/CD pipelines, or developer laptops and nobody tracks their age. Teams avoid rotation because they fear breaking production services that depend on hardcoded keys. Without a centralized inventory of where each key is used, rotation feels risky and gets deprioritized sprint after sprint.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws iam create-access-key --user-name USER
# Update all services using the old key, then:
aws iam update-access-key --user-name USER --access-key-id OLD_KEY_ID --status Inactive
aws iam delete-access-key --user-name USER --access-key-id OLD_KEY_ID

Remediation: Terraform

# Access keys should be managed outside Terraform.
# Use aws-vault or SSO for credential management.
resource "aws_iam_access_key" "user" {
  user = "username"
}

Compliance mapping

This check maps to CIS 1.14 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.