How-To: Creating Programmatic Keys in Amazon Web Services (AWS)

Last updated: May 29, 2026

Introduction

This article helps you set up the programmatic keys required for Astra to securely access your AWS services. These keys are a vital prerequisite for a thorough penetration test, as they allow our tools to perform automated assessments of your cloud environment.

Prerequisites

  • Administrative access to your AWS Management Console.

  • An existing IAM user or permissions to create a new one equipped with the necessary policies (such as ReadOnlyAccess).

Instructions

1. Access the IAM Dashboard

  1. Sign in to the AWS Management Console with your account credentials.

  2. In the console, locate and select IAM (Identity and Access Management) from the services menu.

2. Select Your IAM User

  1. In the IAM dashboard, click on Users in the left-hand navigation pane.

  2. Choose the specific IAM user you wish to generate keys for.

  3. Note: If you need to create a new account for this purpose, click Add user and follow the prompts to set them up with programmatic access.

3. Generate the Access Keys

  1. Within the selected user's details page, navigate to the Security credentials tab.

  2. Locate the Access keys section and click the Create access key button.

  3. Select the Command Line Interface (CLI) option and tick the confirmation box to proceed.

  4. Click Next.

4. Secure and Download Your Keys

  1. Once the keys are generated, immediately download the .csv file, which contains both your Access Key ID and Secret Access Key.

  2. Critical Note: You will not be able to view the secret access key again after this window is closed. Please store it in a secure location immediately.

Expected Outcome

You will now have a pair of active programmatic keys. These credentials grant Astra’s scanners the automated access needed to perform a comprehensive security assessment of your cloud infrastructure.

Troubleshooting & Best Practices

  • Verify Permissions: Ensure the IAM user has the correct IAM policies attached to perform the actions required for your pentest.

  • Lost Keys: If you lose your secret access key, you cannot retrieve it; you must deactivate the old pair and create a new one.

  • Enhanced Security: For added protection, we highly recommend enabling a virtual MFA device for your IAM users via the "Security credentials" tab.

  • Restricting Access: If you have sensitive resources you wish to exclude from the assessment, you can attach a custom Deny policy to explicitly block access to specific data while keeping the required ReadOnlyAccess active for the rest of your environment.