It’s a good practice to rotate your AWS CLI keys periodically. Recently I wrote a key rotation shell script to match a company policy where an IAM user is allowed to have the maximum of two concurrent keys. If both “slots” are taken when the script is triggered, it looks at the creation dates/times of the keys, which key is currently active (or if both are), and which one is currently configured in the users’s
~/.aws/config file (and hence is being used for the rotation operation), and then allows the user to delete the key that is either older, or not currently in use, thus making space for a new key.
Once the new key is generated, the script activates the key, tests that it works, and then removes the key that the new key replaces.
The script was created and tested for use on macOS, but it will likely work on Linux as well (I will soon test it on Linux and make any portability changes if needed).
You can find aws-iam-rotatekeys.sh script on GitHub.
Update 28 October 2017: An improved version of the script has been published.
See the details here!