Engineering, Operations & Cloud Security


Keeping an eye on IAM Keys. No more stale keys!

We all know its best practice to ensure IAM access keys are not hundreds of days old. It’s even in the AWS CIS benchmark:

1.4 – Ensure access keys are rotated every 90 days or less.

We recommend that you regularly rotate all access keys. Rotating access keys reduces the chance for an access key that is associated with a compromised or terminated account to be used. Rotate access keys to ensure that data can’t be accessed with an old key that might have been lost, cracked, or stolen.

But it’s one thing to have a recommended practice.

It’s another thing entirely to provide reminders to users to rotate credentials and, in a user-friendly method, help rotate and disable or expire old keys.

In this blog post, we share an internal tool that we use to help do this.

Have you seen Lacework's Compliance Compliance for AWS?
(Have you seen Lacework’s Compliance for AWS?)

The Code

For the tl;dr folks, you can follow along:

The Goals

We had a couple of goals with this:

  1. Periodically scan AWS IAM keys (across multiple AWS accounts)
  2. Notify users over Slack when IAM keys are roughly two weeks away from being marked stale. Provide helpful AWS CLI steps to add a new key and revoke the old one.
  3. File a Jira, assigned to the IAM key owner, to make sure the key is rotated.
  4. When the count down expires and the key is beyond our expiration date, deactivate the key.
  5. Send telemetry – via Telegraf – to our monitoring/observability platform so we can observe trends over time.


We use Wavefront here at Lacework as our time-series metric platform. This is what our dashboard looks like:

Write a Comment