Can I create AWS Keys for each user that expire every 2 weeks?

amazon-web-services keys

Solution 1:

Root User

The root user should have MFA enabled, then have it locked away and never used. Never create access keys for the root user.

IAM Administrator

Create an IAM administrator user with MFA required that has full rights, including billing.

IAM Policy and Groups

Next create an IAM policy that gives users access to the services and functions they're allowed to use. The policy should mandate MFA has been used for all functions, other than being allowed into IAM to set up MFA. Attach this policy to a group. You can create as many policies and groups as you need. You can further lock things down with Service Control Policies if you see any benefit. You can do things like region enforcement and preventing use of expensive resources (e.g. GPU instances or RedShift / RDS) in either IAM or SCP.

Federation or IAM Users

Now either federate your account(s) to on-premise active directory, or create IAM users and add them to a group. Don't add policies to the users directly. These users can have access keys, but these are subject to MFA as well.

Federation links: one, two. The key search term is "AWS Active Directory Federation".

Two Weeks

I suspect the two week request is a red herring. Once you set all your users up properly you don't need to change your access keys that often - every few months is likely sufficient, or maybe up to a year.

Outcome

All of this gives you good control of your account, lets you trace who did what (make sure Cloud Trail is enabled and the bucket is protected), reduces exposure to hackers increasing the bill, and probably other benefits too.

Solution 2:

DO NOT use an access key for your AWS account root user. Use IAM users for everyday interaction with AWS. Now that is out of the way...

Use Temporary Security Credentials

You can create IAM roles rather than users and generate temporary security credentials. These have an access key ID, a secret access key, and a security token that indicates when the credentials expire.

Normally access keys remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time.

In your example talking about Instances or CLI scripts rather than passing or embedding an access key to the application, define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get temporary security credentials that it can in turn use to make calls. The CLI can get temporary credentials from the role automatically.

Related

Mixing 3.5 hdd and 2.5 hdd in LSI RAID 1
My static ips are inaccessible only from CenturyLink users across all ports
install libssl-dev on Ubuntu 20.04.1 (upgrade from 18.04.1) reports unmet dependecies with 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Should I compress old files to save disk space?
Find how much diskspace a SQL table uses?
How do you map a virtual drive letter to a local path on Windows?
update a network of ubuntu desktops from a server
How do I redirect a domain
Vmware server 2 performance?
OSS Router firmwares
How do you find out how much time a system spends waiting for IO?
How do I determine which network adapter my computer is using?