Rotating Amazon Credential Keys

In an effort to optimize security, Amazon allows you to create a new pair of credential keys (access key ID and secret access key). While Amazon does not enforce the use of this key pair, it does recommend that you replace your old key pair with a new one every 90 days. In doing so, SecureCloud provides additional security and clearly separates the duties between the Cloud Service Provider (CSP) administrator and your SecureCloud administrator.

Procedure

Log on to an Amazon EC2 instance where SecureCloud Runtime Agent is installed.

Use the Configuration Tool to rotate old credential keys with new ones.

$ <Configuration Tool file name> -z -m access_id=<OLD_ACCESS_ID>,secret_key=<OLD_SECRET_KEY> -n access_id=<NEW_ACCESS_ID>,secret_key=<NEW_SECRET_KEY> -x <PASSPHRASE>

Note

<Configuration Tool file name> is scconfig.sh for Linux and scconfig.exe for Windows.

Rotate the credential keys for each account you have. The Runtime Agent reports credential information to the SecureCloud Server for each account you have.The SecureCloud server stores credential rotation information.The Runtime Agent queries credential information from the Management Server each time that it needs to query Amazon EC2 information.The Runtime Agent derives the new credentials from the information received from the Management Server.

Tip

To rotate the credential keys for multiple Amazon Machine Images (AMIs) using the same credential keys, rotate the credential keys for just one of these AMIs. This will result in credential key rotation for all the AMIs using the same credential keys. This is possible because while the key rotation is initiated from the Runtime Agent, the management of the credential keys is done from the SecureCloud Server.�

$('#title').html($('meta[name=description]').attr('content'));