Best Practices for Rotating Amazon Web Services Access Keys for CloudResearch Users

By Aaron Moss, PhD & Jonathan Robinson, PhD

When you link an Amazon Mechanical Turk account to CloudResearch, you can run studies on Mechanical Turk while using CloudResearch features meant to simplify setting up and managing studies. In order for CloudResearch to communicate with MTurk, you must create an Amazon Web Services account and give CloudResearch permission to interact with your Amazon account. If you have been through this process, you may remember creating an “Identity Access Management” (IAM) user and entering the secret key and secret access keys generated for this user into CloudResearch. In this blog, we touch on an aspect of account security related to these access keys. Specifically, we describe how you can easily rotate your secret access keys — similar to changing a password — and why you would want to.

What Are Secret Keys and Secret Access Keys

Mechanical Turk was originally created for computer scientists, not social scientists. As a result, the language common on Mechanical Turk can be confusing for people more accustomed to talking about humans and behavior than machines and technology. Cloudresearch aims to bridge this gap by making MTurk more accessible for behavioral researchers. When talking about secret keys and secret access keys, you can think of the secret key as a username and the secret access key as a password. Anyone with your secret key and secret access key could gain access to your Web Services account, including your billing information. Thus, as a matter of security, you should regularly rotate your credentials the same way you regularly rotate passwords for other accounts.

How to Rotate Credentials

To rotate your credentials, log in to your Amazon Web Services account.

Once you’re logged in you should see your username and the length of time since creating your last access key. To change your access keys, click on your username.

After clicking your username, you should see a summary of your account details.

From the summary page, select the “Security Credentials” tab. When the following page loads, you can generate a new set of credentials by clicking the “Create Access Key” button. Once the new credentials are generated, you should save them as a .csv file.

IMPORTANT! If you are not currently running any studies, you can return to the security and credentials page and delete your old credentials by clicking the “x” next to them. If, however, you are running a study, you should not delete your old credentials. Doing so would eliminate your ability to edit your Live studies. If you are running a study at the time of updating your keys, you can update the keys on CloudResearch, following the steps below, and then return to the AWS page to delete your old secret keys after your study finishes data collection.

The final step in updating your credentials is to share the new credentials with CloudResearch. To do this, log into CloudResearch and navigate to the account icon in the upper right-hand corner. Select “Mechanical Turk Account.”

From the MTurk account page, select “Edit your Amazon Credentials.” Then, enter your new secret key and secret access key into the corresponding boxes and select “submit.”

If your change has been successful, you will see a success message.

Best Practices for Rotating Credentials

Let’s face it: most people do not regularly rotate passwords for important things like bank accounts and credit cards. That doesn’t bode well for the likelihood that researchers will update the credentials on their MTurk and CloudResearch accounts. Nevertheless, we have two recommendations that can make rotating credentials as painless as possible.

1. Rotate your credentials every 3-4 months: Amazon recommends rotating account credentials at least once every 90 days. At CloudResearch, we agree. Rotating your credentials once a quarter will lower the odds of someone gaining unauthorized access to your account.
2. Set yourself a reminder: To simplify knowing when to rotate your credentials, you can set yourself a calendar reminder. When the reminder pops up on your calendar, make time to rotate your credentials.