AWS IAM Access Key

This page shows how to write Terraform and CloudFormation for IAM Access Key and write them securely.

aws_iam_access_key (Terraform)

The Access Key in IAM can be configured in Terraform with the resource name aws_iam_access_key. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L14
resource "aws_iam_access_key" "dev-users-access_key" {
  count = length(var.users)
  user  = join("", ["dev-", var.users[count.index]])

  depends_on = [aws_iam_user.dev-users]
}
iam.tf#L11
resource "aws_iam_access_key" "vpc_access_key" {
  user = aws_iam_user.vpc.name
}

resource "aws_iam_user_policy" "vpc_user_policy" {
  name = "vpc-user-policy"
iam_static_user_access_keys.tf#L2
resource "aws_iam_access_key" "iam_user_s3_full_access" {
  count   = local.count_iam_user_s3_full_names
  user    = element(aws_iam_user.iam_user_s3_full_access.*.name, count.index)
  pgp_key = base64encode(file(var.pgp_keyname))
}

users_groups.tf#L6
resource "aws_iam_access_key" "sysadmin-1" {
  user = aws_iam_user.sysadmin1.name
}

resource "aws_iam_user" "sysadmin2" {
  name = "system_administrator_2"
negative.tf#L1
resource "aws_iam_access_key" "negative1" {
  user = "root"
}

resource "aws_iam_access_key" "negative2" {
  user = "root"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.

Tips: Best Practices for The Other AWS IAM Resources

In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_iam_account_password_policy

Ensure AWS IAM account password policies requires long passwords

It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.

Review your AWS IAM settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::IAM::AccessKey (CloudFormation)

The AccessKey in IAM can be configured in CloudFormation with the resource name AWS::IAM::AccessKey. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

training-prime.yml#L12
    Type: "AWS::IAM::AccessKey"
    Properties:
      UserName:
        Ref: user30

  user31:
training-prime.yml#L12
    Type: "AWS::IAM::AccessKey"
    Properties:
      UserName:
        Ref: user0

  user1:
training-prime.yml#L12
    Type: "AWS::IAM::AccessKey"
    Properties:
      UserName:
        Ref: user81

  user82:
training-prime.yml#L12
    Type: "AWS::IAM::AccessKey"
    Properties:
      UserName:
        Ref: user21

  user22:
training-prime.yml#L12
    Type: "AWS::IAM::AccessKey"
    Properties:
      UserName:
        Ref: user0

  user1:
compiled_users.json#L863
            "Type": "AWS::IAM::AccessKey"
        },
        "userkeyav2686": {
            "Properties": {
                "UserName": {
                    "Ref": "polleuxlabncapuseruserav2686"
nubis-mozdef-users.json#L64
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
         "Serial": 1,
         "Status": "Active",
         "UserName": {"Ref": "StagingFluentdSQSPublisher"}
      }
iam_group_users.json#L58
      "Type" : "AWS::IAM::AccessKey",
      "Properties" : {
         "UserName" : { "Ref" : "Danny" }
      }
    } ,
    "myaccesskey2" : {
Scout2-Master-004-IAMUsers-Global-Wait.json#L15
           "Type": "AWS::IAM::AccessKey",
           "Properties": {
              "UserName": "Scout2User001"
           }
        },
        "Scout2User001AccessKey002": {
Violation-USER-UnnecessaryAccessKeys.json#L15
            "Type": "AWS::IAM::AccessKey",
            "Properties": {
                "Status" : "Active",
                "UserName" : "ShiftLeftUser"
            }
        },

Parameters

Explanation in CloudFormation Registry

Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials. This is true even if the AWS account has no associated users. For information about quotas on the number of keys you can create, see IAM and AWS STS quotas in the IAM User Guide.

Important To ensure the security of your AWS account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.

Frequently asked questions

What is AWS IAM Access Key?

AWS IAM Access Key is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS IAM Access Key?

For Terraform, the jonasv/MFTEST_source-code, knagu/terraform-eks-main and zoitech/terraform-aws-s3-with-iam-access source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the ServerlessOpsIO/infrastructure, ServerlessOpsIO/infrastructure and ServerlessOpsIO/infrastructure source code examples are useful. See the CloudFormation Example section for further details.