This topic describes how to rotate AccessKey pairs. You can create up to two AccessKey pairs for each RAM user. If you have used an AccessKey pair for more than three months, we recommend that you rotate the AccessKey pair in a timely manner to prevent against the leakage of AccessKey pairs.


  1. Create a new AccessKey pair for rotation. For more information, see Create an AccessKey pair for a RAM user.
  2. Update all applications and systems to use the new AccessKey pair.
    Note If you want to check whether the new AccessKey pair is in use, follows these steps: Log on to the RAM console. Go to the details page of the target user. Find the new and original AccessKey pairs in the User AccessKeys section. View the values in the Last Used column for the AccessKey pairs. You can determine whether the new or original AccessKey pair is in use based on the column values.
  3. Disable the original AccessKey pair. For more information, see Disable an AccessKey pair.
  4. Confirm that your applications and systems are working.
    • If the applications and systems are working, the update is successful. Then, you can delete the original AccessKey pair.
    • If an application or system stops working, you must re-enable the original AccessKey pair, and then repeat step 2 to step 4 until the update is successful.
  5. Delete the original AccessKey pair. For more information, see Delete an AccessKey pair.

What to do next

We recommend that you regularly rotate AccessKey pairs.