Ben Oram

Quick notes on tech, AWS, .NET & containers

aws

| 1 min read

When launching a Windows instance via an AWS AMI, a password is automatically generated, and encrypted using the keypair associated with the instance.

As a best practice, this generated password should be changed. Many folks choose to create a new local administrator account with a unique username, and additionally many teams choose to join the instance to a domain, and let the domain handle authentication.

Finally, starting with Windows Server 2016, AMIs maintained by AWS are configured to allow generated passwords to expire.

References


| 1 min read

AWS managed keys are rotated automatically every 3 years. For these keys, there is not a way to manually trigger a key rotation, or change the rotation schedule. These are AWS Managed Keys after all :)

Customer managed keys in KMS have more flexibility. While key rotation is not required, they can be configured automatically rotate every year. In addition, key rotation may be triggered manually, or a rotation can be triggered manually or through API.

To enable manual rotation, make sure that all key references are through an alias. Aliases enable manual key rotation by allowing you to point the alias to a new key at any time.

References