Today's Tip: Treat AWS Access Keys as One-Time Credentials
Letting AI interact with AWS is incredibly useful.
Showing it CloudWatch logs directly for debugging, or having it verify configurations, can seriously boost productivity.
But there’s one problem: “what do you do about access keys?”
Stop Using Static Access Keys
The common approach: create an IAM user access key and reuse it everywhere.
This is dangerous.
- If leaked, it can be abused indefinitely
- It stays valid until you manually delete it
- You can’t track where it’s been shared
For handing credentials to an AI, this is a no-go.
”One-Time Keys” Do Exist (Technically)
AWS actually has “keys you can use like one-time credentials.”
Officially, they’re called: AWS Security Token Service (STS) Temporary Credentials
How It Works
- Create an IAM role
- Obtain temporary credentials via STS
- Hand them to the AI
- They auto-expire after a set time
What Gets Issued
- Access Key ID
- Secret Access Key
- Session Token (required)
- Expiration
You use these together as a set.
CLI Example
aws sts assume-role
—role-arn arn:aws:iam::123456789012:role/MyRole
—role-session-name ai-session
Benefits
- Time-limited, so much safer
- Grant only the permissions you actually need
- Control at the role level
Cautions
-
Keep permissions minimal Example: CloudWatch read-only
-
Keep expirations short 15 minutes to 1 hour is plenty
-
Don’t use this in production Personal data or sensitive info may be involved
Summary
When letting AI touch AWS:
- Don’t use static access keys
- Use STS temporary credentials
Just this alone significantly reduces your risk.