https://github.com/stefansundin/aws-rotate-key

Easily rotate your AWS access key. :key:
https://github.com/stefansundin/aws-rotate-key

aws cli security-tools

Last synced: 14 days ago
JSON representation

Easily rotate your AWS access key. :key:

• Host: GitHub
• URL: https://github.com/stefansundin/aws-rotate-key
• Owner: stefansundin
• License: mit
• Created: 2016-09-07T22:23:54.000Z (about 8 years ago)
• Default Branch: main
• Last Pushed: 2024-10-07T06:06:37.000Z (about 1 month ago)
• Last Synced: 2024-10-11T00:54:45.320Z (about 1 month ago)
• Topics: aws, cli, security-tools
• Language: Go
• Homepage:
• Size: 146 KB
• Stars: 374
• Watchers: 13
• Forks: 51
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# aws-rotate-key

As a security best practice, AWS recommends that users periodically

[regenerate their API access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey).

This tool simplifies the rotation of access keys defined in your

[credentials file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).

When run, the program will list the current access keys associated with your

IAM user, and print the steps it has to perform to rotate them.

It will then wait for your confirmation before continuing.

## Usage

```

$ aws-rotate-key --help

Usage of aws-rotate-key:

  -auth-profile string

    	Use a different profile when calling AWS.

  -d	Delete the old key instead of deactivating it.

  -mfa

    	Use MFA.

  -mfa-serial-number string

    	Specify the MFA device to use. (optional)

  -profile string

    	The profile to use. (default "default")

  -version

    	Print version number

  -y	Automatic "yes" to prompts.

```

## Example

```

$ aws-rotate-key --profile work

Using access key AKIAJMIGD6UPCXCFWVOA from profile "work".

Your user ARN is: arn:aws:iam::123456789012:user/your_username

Your user has 2 access keys:

- AKIAI3KI7UC6BPI4O57A (Inactive, created 2018-11-22 21:47:46 +0000 UTC, last used 2018-11-30 20:35:41 +0000 UTC for service s3 in us-west-2)

- AKIAJMIGD6UPCXCFWVOA (Active, created 2018-11-30 21:55:57 +0000 UTC, last used 2018-12-20 12:14:10 +0000 UTC for service s3 in us-west-2)

You have two access keys, which is the maximum number of access keys allowed.

Do you want to delete AKIAI3KI7UC6BPI4O57A and create a new key? [yN] y

Deleted access key: AKIAI3KI7UC6BPI4O57A

Created access key: AKIAIX46CKYT7E5I3KVQ

Wrote new key pair to /Users/your_username/.aws/credentials

Deactivated old access key: AKIAJMIGD6UPCXCFWVOA

Please make sure this key is not used elsewhere.

Please note that it may take a minute for your new access key to propagate in the AWS control plane.

```

## Install

You can download binaries from [the releases section](https://github.com/stefansundin/aws-rotate-key/releases/latest).

You can use Homebrew to install on macOS:

```shell

brew install aws-rotate-key

```

You can install [using a PPA](https://launchpad.net/~stefansundin/+archive/ubuntu/aws-rotate-key) on Ubuntu Linux:

```shell

sudo add-apt-repository ppa:stefansundin/aws-rotate-key

sudo apt install aws-rotate-key

```

If you have Go installed then you can download and build the program using:

```shell

go install github.com/stefansundin/aws-rotate-key@latest

```

## Setup

Make sure your users have permissions to update their own access keys.

The following AWS documentation page explains the required permissions:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html.

The following IAM policy is enough for aws-rotate-key:

```json

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "iam:ListAccessKeys",

                "iam:GetAccessKeyLastUsed",

                "iam:DeleteAccessKey",

                "iam:CreateAccessKey",

                "iam:UpdateAccessKey"

            ],

            "Resource": [

                "arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"

            ]

        }

    ]

}

```

> [!WARNING]

> Replace `AWS_ACCOUNT_ID` with your AWS account id.

### Require MFA

You can require MFA by adding a `Condition` clause. Please note that you

have to use the `-mfa` option when running the program.

```json

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "iam:ListMFADevices"

            ],

            "Resource": [

                "arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"

            ]

        },

        {

            "Effect": "Allow",

            "Action": [

                "iam:ListAccessKeys",

                "iam:GetAccessKeyLastUsed",

                "iam:DeleteAccessKey",

                "iam:CreateAccessKey",

                "iam:UpdateAccessKey"

            ],

            "Resource": [

                "arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"

            ],

            "Condition": {

                "Bool": {

                    "aws:MultiFactorAuthPresent": true

                }

            }

        }

    ]

}

```

Note that this makes it harder to rotate access keys using aws-cli commands,

as it only supports MFA when assuming roles. You will still be able to use

the AWS management console.

## Contribute

To download and hack on the source code, run:

```shell

git clone https://github.com/stefansundin/aws-rotate-key.git

cd aws-rotate-key

go build

```