Multiple access keys for the same user
I discovered that there is a specific User who is enabled for programmatic access in my AWS account. I have been tasked with recreating an access key and security token for one of my colleagues, despite the fact that he already has one. I want to deactivate the original. I believe that from a security point of view it is better to have only one access key / token rather than multiples.
Can anyone tell me if this is a good choice? One of my colleagues asked me why I would like to do this, and when I told him my reasoning, I don't think he was 100% convinced that my reasoning was good. Could you please tell me if there is any advantage to having multiple access keys / private keys for the same user? Because I can't think of anything. Also, can you provide any supporting articles that would cover this?
source to share
In Best Practices for Using AWS IAM Access Keys, I believe these sections apply:
- Use different access keys for different applications. Do this so you can isolate permissions and revoke access keys for individual apps if a passkey is open. Having separate access keys for different applications also generates separate entries in the AWS CloudTrail log files, making it easier for you to determine which application took certain actions.
- Turn the access keys periodically. Change access keys regularly. For more information, see the Rotating Access Keys (AWS CLI, Windows PowerShell Tools, and AWS APIs) section in the IAM User Guide and How to Rotate Access Keys for IAM Users on the AWS Security Blog.
The first item explicitly states the reason for using multiple access tokens with the same IAM account. I think using multiple keys will also make the second element easier to rotate the key. You can create a second set of access keys, switch your apps, make sure the previous set is no longer used to access the AWS API, and then delete the old set.
source to share
I don't have the paperwork to recommend one access key per user, but AWS recommends rotating access keys regularly. See Managing Pass Keys for IAM Users , section titled Rotating Pass Keys.
Therefore, as a best practice, you should do the following on a regular schedule (every 30, 60, 90 days, etc.).
- Create a second passkey for your user.
- Wherever you use the first passkey, replace it with the second
- Wait a short time and make sure the first passkey is not in use.
- After confirmation, disable or remove the first passkey
Two passkey systems allow this rotation, keeping the time when the passkey is disabled / removed, but still in use with a minimum value. I've been used in other tools where you have to disable the old key when creating a new key. Because sometimes it takes a while to use new keys after they have been created.
If a user needs more than one access key, then the question arises why it needs to be, and not multiple. Benefits of using multiple users:
- Permits can be more granular
- If the key has leaked, there are fewer places to replace it.
- You have a better audit trail of what tools are in effect on your account and when
For this reason, I recommend having only one passkey "per field".
I think really if someone wants to use 2 keys for one user, they are just lazy.
I create separate IAM users and roles for each tool that needs access. I never reuse them.
Update
AWS recommends that you rotate access keys on a regular schedule.
Source: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
In addition, their "howto" uses both dedicated access keys for the IAM user during key rotation:
Source: https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/
Ergo, target for one "in use" passkey per IAM user at any given time.
source to share