Today's Tip: Treat AWS Access Keys as One-Time Credentials

Letting AI interact with AWS is incredibly useful.

Showing it CloudWatch logs directly for debugging, or having it verify configurations, can seriously boost productivity.

But there’s one problem: “what do you do about access keys?”

Stop Using Static Access Keys

The common approach: create an IAM user access key and reuse it everywhere.

This is dangerous.

For handing credentials to an AI, this is a no-go.

”One-Time Keys” Do Exist (Technically)

AWS actually has “keys you can use like one-time credentials.”

Officially, they’re called: AWS Security Token Service (STS) Temporary Credentials

How It Works

  1. Create an IAM role
  2. Obtain temporary credentials via STS
  3. Hand them to the AI
  4. They auto-expire after a set time

What Gets Issued

You use these together as a set.

CLI Example

aws sts assume-role
—role-arn arn:aws:iam::123456789012:role/MyRole
—role-session-name ai-session

Benefits

Cautions

  1. Keep permissions minimal Example: CloudWatch read-only

  2. Keep expirations short 15 minutes to 1 hour is plenty

  3. Don’t use this in production Personal data or sensitive info may be involved

Summary

When letting AI touch AWS:

Just this alone significantly reduces your risk.