The focus of this project is on the programmatic "rolling" of AWS IAM access keys. This involves creating new keys to replace previous ones, on a regular basis. Changing the keys will limit exposure, and storing them in AWS Secrets Manager will allow them to be programmatically queried and used as-needed, rather than stored locally in clear.
At this stage, this script is intended to be a framework for this process. Any other requirements (application functionality validation) are going to be use-case-specific, thus are not covered here. There are just too many services and permissions to feasibly cover every scenario. The problem it will solve is that users in my organization store their access keys locally for long periods of time.
This script follows the procedure suggested in the AWS Security Blog.
- Get the existing key-pair for a user.
- Create a new key-pair.
- Store the new access and secret key in Secrets Manager.
- Disable the previous key-pair.
- Delete the previous key-pair.
- Handle if the user has more than one key-pair to be rolled.
- Query the newly created secret in Secrets Manager to make sure it was saved correctly, and is a functional access key.