# AWS Plugin

{% hint style="success" %}
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

* [Password Rotation with KeeperPAM](/keeperpam/secrets-manager/password-rotation.md)
* Commander [KeeperPAM commands](/keeperpam/commander-cli/command-reference/keeperpam-commands.md)
  {% endhint %}

## Prerequisites

#### 1. Install AWS CLI package

```
pip3 install boto3
```

#### 2. Configure AWS CLI package

#### Install AWS CLI if necessary

```
pip3 install awscli
```

#### Configure AWS Connection with the AWS CLI

```
aws configure
```

{% hint style="info" %}
You need to configure your AWS environment on the environment with an account that has administrative privileges in order to modify the Password for the specified user.
{% endhint %}

## Prepare Records for Rotation

### Create a Record for Rotation

Rotation supports legacy and typed records. Additional fields may be added depending on the rotation type as well. See the instructions below.

{% hint style="info" %}
See the [Troubleshooting ](/keeperpam/commander-cli/troubleshooting-commander-cli.md#typed-vs-untyped-records-v3-vs-v2)section for more information on legacy vs typed records
{% endhint %}

## Rotation Types

### Rotate AWS Keys

To run a rotation of AWS Keys, use the `rotate` command in Commander. Pass the command a record title or UID (or use `--match` with a regular expression to rotate several records at once)

```
rotate "My AWS Credentials" --plugin awskey
```

{% hint style="info" %}
The plugin can be supplied to the command as shown here, or added to a record field (see options below).\
Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
{% endhint %}

#### Additional Rotation Options

The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

{% hint style="info" %}
For an easier time creating new AWS rotation records, create a custom record type with the text type fields defined
{% endhint %}

<table><thead><tr><th width="237">Label</th><th width="151.1413969335605">Value</th><th>Comment</th></tr></thead><tbody><tr><td>cmdr:plugin</td><td>awskey</td><td>(Optional) Tells Commander to use AWS Key rotation. <em>This should be either set to the record, or supplied to the rotation command</em></td></tr><tr><td>cmdr:aws_profile</td><td></td><td>(Optional) AWS profile to use to login to AWS with</td></tr><tr><td>cmdr:aws_sync_profile</td><td></td><td>(Optional) if supplied, the AWS secret for the given profile will be updated to the AWS credentials file</td></tr><tr><td>cmdr:aws_assume_role</td><td>AWS Role ARN</td><td><p>(Optional) if supplied, the password rotation plugin assumes this role.<br>The role requires these permissions:</p><p><code>iam:DeleteAccessKey iam:CreateAccessKey iam:ListAccessKeys</code></p></td></tr></tbody></table>

#### Output

After rotation is completed, the Access Key ID and Secret Key are stored in custom fields on the record with labels: `cmdr:aws_key_id` and `cmdr:aws_key_secret`.

Any Keeper user or Keeper Shared Folder associated with the record is updated instantly.

<table><thead><tr><th width="295.01286409063545">Label</th><th width="150">Value</th></tr></thead><tbody><tr><td>cmdr:aws_key_id</td><td>generated AWS Access Key ID</td></tr><tr><td>cmdr:aws_key_secret</td><td>generated AWS Secret Access Key</td></tr></tbody></table>

{% hint style="warning" %}
The **'Password'** field is ignored when rotating keys
{% endhint %}

### Rotate AWS Passwords

To run a rotation of AWS passwords, use the `rotate` command in Commander. Pass the command a record title or UID (or use `--match` with a regular expression to rotate several records at once)

```
rotate "My AWS Credentials" --plugin awspswd
```

{% hint style="info" %}
The plugin can be supplied to the command as shown here, or added to a record field (see options below).\
Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
{% endhint %}

#### Additional Rotation Options

The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

<table><thead><tr><th width="233.2983103895151">Name</th><th width="150">Value</th><th width="607.4725412972653">Comment</th></tr></thead><tbody><tr><td>cmdr:plugin</td><td>awspswd</td><td>(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command</td></tr><tr><td>cmdr:rules</td><td></td><td>(Optional) <a href="https://github.com/Keeper-Security/Commander/tree/master/keepercommander/plugins/password_rules.md">password complexity rules</a></td></tr><tr><td>cmdr:aws_profile</td><td></td><td>(Optional) AWS profile to use to login to AWS with</td></tr></tbody></table>

#### Output

The `Password` field of the Keeper record contains a new password to AWS account.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/commander-cli/command-reference/plugins/aws-plugin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.