Rotate AWS Access Keys

Each service using AWS has its own access-key which needs to be rotated after 90 days.

Identify Users in need of rotation

  1. Login to AWS and go to the list of users.

  2. Sort the users by "Active key age".

  3. The users in need of rotation will have a orange eclamation mark beside the age.

Rotate all keys on staging and then production by filtering the table for the environment.

Rotate a single key

  1. Open the user in need of key-rotation.

  2. Switch to the "Security Credentials" tab.

  3. Create a new access key.

    • Click "Create Access Key" button.

    • Select "Application running outside AWS".

    • Leave description empty.

    • Click the "Create access key" button.

  4. Using gap-cli set the value of the "Access key" column as the AWS_ACCESS_KEY_ID config key of the service in question.

  5. Set the value of the "Secret access key" column as the AWS_SECRET_ACCESS_KEY in the same way.

  6. Wait for all processes of the service to fully restart after the config change.

  7. Once the new access key is being used the old one can be deactivated and deleted.