0Pricing
AWS Security Academy · Lesson

Revoking and Rotating Exposed Secrets

Disable compromised keys and issue replacements safely.

Act Fast, Act Carefully

Once a credential is confirmed leaked, speed matters — but so does order. Disabling a key abruptly can break production if you do not first understand what depends on it.

The goal is to cut off the attacker while keeping legitimate workloads running, ideally in a single rehearsed sequence.

Deactivate Before Delete

The first move on a leaked access key is to deactivate it, not delete it. Setting the key status to Inactive immediately stops it from working.

Keeping it (inactive) for now preserves it for forensic correlation in CloudTrail. You delete it only after the investigation is complete.

aws iam update-access-key \
  --access-key-id AKIAEXAMPLE \
  --status Inactive

All lessons in this course

  1. Signs of Leaked Access Keys
  2. Revoking and Rotating Exposed Secrets
  3. Quarantining a Compromised EC2 Instance
  4. Snapshotting Volumes for Forensics
← Back to AWS Security Academy