If an application is not hosted on EC2 instance, then it needs AWS access keys to be accessed. And also all 3rd party applications hosted on EC2 instance require Keys to be accessed.
In both cases, the application owner must specify a policy for AWS Access Key rotation, which can be implanted via Command Line Interface (AWS CLI), or AWS Management Console.
Ofir Nachmani, an AWS technology advisor suggests that Access Key rotation can ensure enterprises avoid security lapses and that too without disrupting the cloud environments. This method also ensures efficient and reliable access to AWS resources and helps the admin determine the level of cloud security in prevalence.
In general, AWS access keys include an ID and a secret key. And each AWS Identity and Access Management user can have two active access keys to enable key rotation. An automatic and periodic rotation of keys ensures minimal potential damage of a compromised key and that too without disrupting the cloud environment.
Mr. Nachmani suggests the following security procedures to minimize the potential damage of a compromised AWS Security Key.
• Creation of an additional access key, while the first one is still active allows the user to retrieve the latter one when in need. In general, AWS allows two simultaneous keys per user.
• Spread the AWS access key across all application instances- After verifying that the application works properly with the new key, keep a tab on the last used access key by typing in related commands. This helps an AWS admin in knowing the access key usage details in specific.
• Ensure that the old key is deactivated, but not deleted. Check whether all applications are working with the new key. Otherwise, you can bring back the deactivated key to life
• After implementing the above-said measure, then you can delete the old key and remember once deleted, the key will no longer be available.
Note- Anyway having access to AWS Access Key can have unrestricted access to all the resources in an account, including billing information.