AWS Changes to Account Access Key Management Imminent

Amazon Web Services customers will no longer have the ability to retrieve keys to their root accounts effective April 21.

While Amazon announced the pending change last summer, it issued a reminder this week.

"Just as AWS doesn't allow you to retrieve your password if you forget it, you will no longer be able to retrieve the secret access keys for your root account," said Kai Zhao, AWS product manager for Identity and Access Management, in a blog post Monday.

To prepare for the change, Zhao advised customers to visit the new AWS security credentials access page here or via the AWS Console. Customers should go to the legacy security credentials page and retrieve the access key or keys prior to the deadline, Zhao advised. Once the deadline passes, customers will no longer be able to retrieve pre-existing secret access keys, though they will be able to rotate them, he said.

Amazon recommends creating user account access keys rather than having them for root accounts, as the latter provides complete access to all resources in an AWS account. "We've seen a couple cases where customers accidentally uploaded their root access keys to public code repositories, so we recommend minimizing your security surface area by deleting (or not creating) root access keys altogether," Zhao noted.

While this will undoubtedly be an inconvenience for some, it looks like a prudent move to ensure better security.

Posted by Jeffrey Schwartz on 03/13/2014 at 12:35 PM