Best Practices for Key Management


On this page

Commvault can use access keys to verify the identity of users and applications. Access keys consist of an access key ID and a secret access key.

Best practices for managing your AWS access keys including the following:

  • Do not generate an access key for your AWS account root user. Instead, create AWS Identity and Access Management (IAM) users, generate access keys for the IAM users, and use the IAM users for interaction with AWS.

  • Create temporary security credentials with IAM roles. Long term access keys remain valid until you manually revoke them, and are unnecessary in most cases. Temporary security credentials, which are associated with IAM roles, expire after a short period of time. Temporary security credentials include an access key ID, a secret access key, and a security token that specifies when the credentials expire. You can use temporary security credentials for a number of common scenarios, including the following:

    • Applications or AWS CLI scripts that run on an Amazon EC2 instance

    • Users who require limited access across multiple accounts

    • Mobile apps

    • Federating into AWS using SAML 2.0

    • Federating into AWS using an on-premises identity store

  • Use caution when managing IAM user access keys. To increase access key security, use the following practices:

    • Do not embed access keys in code. Instead, keep access keys in the AWS credentials file or environment variables.

    • Use a different access key for each application.

    • Change access keys on a regular basis.

    • Delete unused access keys.

    • For sensitive operations, use multi-factor authentication.

For complete and detailed information about managing AWS Access Keys, on the AWS Documentation website, see Best Practices for Managing AWS Access Keys.