We've been asked by a customer for an IAM audit trail and a key rotation policy. Currently, half of our resources are still using access keys that haven't been rotated in over a year. For a small team like ours, what's the bare minimum we need to do to get our IAM practices ready for customer audits? Are there any tools or quick wins we should consider?
1 Answer
First off, ditch those static keys completely! Identify where they’re being used and if there’s no valid reason for them, start rotating them out. It’s a pain, especially if they’re scattered all over your scripts and CI jobs, but that’s the first step!
Totally get it! But how do you replace static keys without causing chaos in your system? Have you tried doing it gradually?