App uses personal access keys in production
Personal keys in an app means: employee leaves, app breaks. Use a service role.
Try this first
- 1Create an IAM role with only the rights the app needs
- 2Attach the role to the EC2 instance, Lambda or ECS task definition
- 3Remove access keys from env vars and git history
- 4Rotate any key that ever sat in code, assume it leaked
When to bring us in
If a key leaked publicly, enable GuardDuty immediately and review the last 90 days of CloudTrail.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.