Updated: Sep 12
IAM User creation and Credential Rotation
1. Learn to create an IAM User with Programmatic Access.
2. Learn to rotate IAM User credentials and test them.
Step 1:: In this step we create a user. In AWS consolego to IAM service. In Users
click on Create user.
Provide followingdetails in respective fields:
User name: RotateKeyUser
Check the box for
Provide access to the AWS Management Console.
Select the option I want to create an AIM user. Leave all other values as default and click on Next.
Step 2: Permissions:
Select Attach existing policies directly.
In the Filter policies search bar search for a policy suitable for requirements. For this tutorial we select S3FullAccess. Click on Next.
Proceed to Next: Tags.
And give Name as UserForCredentials.
Click on Create User. In the successwindow, Download .csv file which contains the credentials to login and new user.
Store the downloaded file safely for further use.
Find the Global drop down on your AWS console top bar and copy the alias of region name. The region name is usually the name of region that you are operating from. E.g.
ap-south-1 in this case.
Store it in a text file.
Step 3: Return to the users list and click on the newly created user. Click on Security Credentials and scroll down to Access keys. Click on Create access key.
Select Use case as Command Line Interface (CLI), check the confirmation box and click on Next.
Skip description and click on Create access key. In the success screen click on Download .csv file to download the access credentials and store them safely. Click on Done.
The created bucket can be confirmed in AWS S3 Console.
Step 5: This key needs to be rotated as a best practice while using AWS. The key can be rotated as given below.
Go back to IAM -> Users. Select the key that we created.
Go to Security Credentials tab.
Scroll down to Access keys. Click on Create access key.
In the Use case section select Command Line Interface (CLI), check confirmation and click Next. Skip description and Create access key.
In the Success pop-up window, download and securelystore the new .csv file.
For further operations of this user, the new credentials should be used that are provided in the new csv file.
In the Access keys section itself, two keys are visible.Go to the first key and select the “Deactivate” option.
Further select Deactivate in the pop-up window.
The status of the old key is now inactive.
The Access key should not be immediately deleted because it may still be associated with some AWS services.
Step 6: Now try and configure AWS CLI as was did in Step 2 and provide the bucket creation command.
Thus, the key is now non-operational.
With the new access key, configureAWS CLI as shown in Step 2 using new Access Key Credentials given in the newcsv file.
After a week or so, depending on the organizational policies, delete the Inactive Access Key.
Note: If you no longer need the user or bucket, you may delete both through the AWS console.
Was this document helpful? How can we make this document better. Please provide your insights. You can download PDF version for reference.
We provide the best AWS training from Pune, India. For aws certification contact us now.