SECOPS

Scheduled AWS Access-Key Age Sweep and Forced Rotation

Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.

CategorySecOps

Enginesim

Difficultyintermediate

Triggerschedule

Steps5

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerDaily schedule
ActionList IAM users and access-key agesAWS S3
LogicSelect keys past max-age threshold
ActionDeactivate stale key and issue replacementAWS S3
OutputDM each owner the new key and deadlineSlack

What it does

Proactively rotates AWS access keys before they ever leak. On a schedule it lists every IAM access key, flags those past your maximum age, deactivates the old key, creates a new one, and tells each owner how to swap it in.

When to use it

Adopt this to enforce a hard key-age ceiling across an AWS account without chasing engineers manually. It pairs well with the scan-driven revocation flows: this one prevents leaks, those handle them.

How it works

1A daily schedule kicks off the sweep.
2An action queries AWS for all IAM users and their access-key metadata, including creation dates.
3A logic step selects keys older than the configured threshold and confirms each owner has fewer than two active keys before rotating.
4An action deactivates the stale key and creates a replacement, stashing the new credential in the encrypted store.
5A Slack direct message goes to each affected owner with the new key reference and a deactivation deadline for the old one.

Set it up

What you configure once, before turning it on.

1
Connect AWS S3Buckets, objects, signed URLs.
2
Connect SlackChannels, DMs, threads, mentions.
3
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
4
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
5
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Correlate Datadog WAF anomaly alert with Cloudflare evidence

When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Non-Rotatable Leaked Secret to PagerDuty Escalation

Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.

GitHub Secret-Scan Hit to Auto-Revoke and Rotate

When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Page on-call when a WAF rule mass-blocks legitimate traffic

On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).

Browse all SecOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Marketing

Content Marketing Agency

SEO, blogs, social, and reporting on autopilot.

E-commerce

E-commerce Operator

Listings, support, inventory, and ads — running 24/7.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →