SEC02-BP05: Audit and rotate credentials periodically

When you cannot rely on temporary credentials and need to use long-term credentials, audit the credentials to ensure that the defined controls (such as MFA) are enforced, rotated regularly, and have the appropriate level of access.

Implementation guidance

While temporary credentials are preferred, there are cases where long-term credentials are necessary. In these situations, it’s essential to implement robust processes for auditing and rotating these credentials to minimize security risks. Regular credential rotation reduces the impact of compromised credentials and helps maintain a strong security posture.

Key steps for implementing this best practice:

1. Inventory all long-term credentials:
   • Identify all IAM users with long-term credentials
   • Document service accounts and their credentials
   • Identify application credentials stored in configuration files
   • Track API keys used by applications and services
   • Catalog database credentials and other secrets
2. Implement credential auditing:
   • Use AWS IAM Access Analyzer to identify unused credentials
   • Enable AWS Config to monitor credential compliance
   • Configure AWS CloudTrail to log credential usage
   • Set up Amazon CloudWatch alarms for suspicious credential activities
   • Implement regular credential access reviews
3. Establish credential rotation policies:
   • Define rotation schedules based on credential type and sensitivity
   • Document procedures for credential rotation
   • Implement automated rotation where possible
   • Create emergency rotation procedures for compromised credentials
   • Align rotation policies with compliance requirements
4. Automate credential rotation:
   • Use AWS Secrets Manager for automatic rotation of secrets
   • Implement Lambda functions for custom rotation logic
   • Configure database credential rotation
   • Set up API key rotation processes
   • Implement certificate rotation procedures
5. Monitor credential compliance:
   • Track credential age and rotation status
   • Set up alerts for credentials approaching rotation deadlines
   • Generate compliance reports for credential management
   • Monitor for unauthorized credential creation
   • Audit privileged credential usage
6. Implement credential security controls:
   • Enforce MFA for all human users with long-term credentials
   • Implement the principle of least privilege for all credentials
   • Use credential vaulting for sensitive credentials
   • Apply appropriate access controls to credential stores
   • Implement just-in-time access for privileged credentials

Implementation examples

Example 1: Auditing IAM users for credential compliance

Code snippet hidden for website display

Example 2: Setting up automatic rotation with AWS Secrets Manager

Code snippet hidden for website display

Example 3: Implementing a credential audit and rotation policy

Code snippet hidden for website display

AWS services to consider

AWS IAM Access Analyzer

Helps you identify resources in your organization and accounts that are shared with an external entity. Also identifies unused access to help you remove unnecessary permissions.

AWS Secrets Manager

Helps you protect secrets needed to access your applications, services, and IT resources. Enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Helps you maintain compliance with credential policies through continuous monitoring and automated remediation.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to monitor credential usage and detect unauthorized access attempts.

Amazon CloudWatch

Monitors your AWS resources and the applications you run on AWS in real time. Set up alarms for credential-related events and automate responses to security issues.

AWS Lambda

Lets you run code without provisioning or managing servers. Used for implementing custom credential rotation logic and automated compliance checks.

Benefits of auditing and rotating credentials periodically

• Reduced risk exposure: Limiting the lifetime of credentials reduces the impact of credential compromise
• Improved security posture: Regular rotation helps maintain a strong security posture
• Compliance support: Meets requirements for many compliance frameworks
• Early detection of issues: Regular audits help identify security issues before they can be exploited
• Enforced security practices: Ensures security controls like MFA are consistently applied
• Reduced credential sprawl: Regular audits help identify and remove unnecessary credentials
• Automated security: Automation reduces the burden of manual credential management

Related resources

Related Resources

• AWS Well-Architected Framework - Audit and rotate credentials periodically
• Managing access keys for IAM users
• Rotating your AWS Secrets Manager secrets
• Security best practices in IAM
• How to rotate access keys for IAM users
• How to use AWS Config to monitor for and respond to Amazon RDS instances not using IAM authentication