User Managed AWS Access Keys

Turbot supports user managed AWS access keys, allowing directory users to create, rotate, and delete access keys from the Turbot console for each of their accounts. Access keys were previously only available for service users, adding overhead when needing to use the AWS CLI and other tools that leveraged access keys.

Managing Access Keys

Before users can begin creating access keys from the Turbot console, AWS > IAM > Directory User Enable Access Keys will need to be set to Enabled:

Access Keys enabled policy

To create a key, click the + icon located in the overview tab:

Create access key

A modal will appear with the AWS username, access key ID, and secret access key. As noted in the screenshot, securely record and share the secret access key:

Create access key modal

After a key has been created, the access key ID will be displayed, along with the options to rotate or delete the key:

Access key display

Expiring Access Keys

Access keys can also be set to expire through the AWS > IAM > Directory User Access Key Expiration and AWS > IAM > Directory User Access Key Expiration Days policies:

Access Key Expiration policy

Access Key Expiration Days policy

Expired keys will be be noted with a strike-through in the Turbot console and automatically be deactivated to prevent further use:

Expired access key

Turbot recommends setting a short expiration period to enforce frequent rotations as a security best practice.

By design, access keys that users have generated manually can only be expired and alarmed on, not rotated, to prevent potentially breaking an application tied to that specific key. Turbot will not delete/rotate these keys.

Was this article helpful?
0 out of 0 found this helpful