Tuesday, September 1, 2009

AWS: Two Account Credentials

Amazon Web Services (AWS) now allows each AWS account to have two credentials. In other words, one AWS account can have two active Access Key ID and Secret Access Key pairs.

Do not confuse this feature with yesterday's announcement by AWS on Multi-Factor Authentication (MFA) which is similar to a SecurID fob.

Two AWS Account Credentials
AWS supports multiple concurrent access keys. This allows you to rotate keys without impact to your applications' availability. AWS recommends that you rotate keys on a regular basis. To rotate keys, create a new key below, update your applications to use the new key, and then deactivate/delete the original key.

You are allowed two access keys at any point in time, and the keys may be in the following states:

So What?
This new feature can ensure a smooth transition when rotating your keys. In the past, when you created new credentials it overwrote your old credentials. You were out of luck if you missed an application or web service that was using the old credentials. Now, you can create new credentials and update your apps. If you notice an app no longer working when you click "Make Inactive" then you can reactivate the old credentials while you fix the problem.

You can find more details when you access your AWS security credentials.

No comments: