Ensure access keys are rotated every 90 days or less

Error: Access keys are not rotated every 90 days or less

Bridgecrew Policy ID: BC_AWS_IAM_4
Severity: CRITICAL

Access keys are not rotated every 90 days or less


Access keys consist of an access key ID and secret access key. They are used to sign programmatic requests made to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, and direct HTTP calls using the APIs for individual AWS services.

We recommend regularly rotating all access keys to reduce the potential for an old, lost or stolen access key to be used on a compromised or terminated account.

Fix - Runtime

AWS Console

To manually rotate access keys using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to IAM Services.
  3. Select Users.
  4. Select Security Credentials.
  5. As an Administrator: select Make Inactive for keys that have not been rotated in 90 Days or as an IAM User select Make Inactive or Delete for keys which have not been rotated or used in 90 Days.
  6. Select Create Access Key.
  7. Update programmatic call with new Access Key credentials.

CLI Command

To change the password policy, use the following command:

aws iam update-access-key 
aws iam create-access-key 
aws iam delete-access-key