Update docs for AWS IAM rotation strategy

docs/documentation/platform/secret-rotation/aws-iam.mdx

@@ -3,121 +3,141 @@ title: "AWS IAM User"
 description: "Rotated access key id and secret key of AWS IAM Users"
 ---
 
-Infisical AWS IAM User rotation enables the periodic updating of AWS IAM User access keys. Each user can maintain up to two keys simultaneously.
+Infisical's AWS IAM User secret rotation capability lets you update the **Access key** and **Secret access key** credentials of a target IAM user from within Infisical
+at a specified interval or on-demand.
 
-## Prerequisite
+## Workflow
+
+The typical workflow for using the AWS IAM User rotation strategy consists of four steps:
+
+1. Creating the target IAM user whose credentials you wish to rotate.
+2. Creating the managing IAM user used by Infisical to rotate the credentials of the target IAM user.
+3. Configuring the rotation strategy in Infisical with the credentials of the managing IAM user.
+4. Pressing the **Rotate** button in the Infisical dashboard to trigger the rotation of the target IAM user's credentials. The strategy can also be configured to rotate the credentials automatically at a specified interval.
+
+In the following steps, we explore the end-to-end workflow for setting up this strategy in Infisical.
 
 <Steps>
-  <Step title="Create IAM Manager User">
-	This AWS IAM User is the one that Infisical uses to get into your AWS account and handle the access keys for the IAM users underneath.
-	
-	Create the manager user IAM Policy
+	<Step title="Create the target IAM user">
+		To begin, create an IAM user whose credentials you wish to rotate. If you already have an IAM user,
+		then you can skip this step.
+	</Step>
+	<Step title="Create the managing IAM user">
+		Next, create another IAM user to be used by Infisical to rotate the credentials of the IAM user in the previous step.
 
-	1. Open [AWS Policy Builder](https://console.aws.amazon.com/iam/home#/policies$new?step=edit)
-	2. Use JSON tab to paste the JSON policy
-	3. Paste the following scope
-	```json
-	{
-	    "Version": "2012-10-17",
-	    "Statement": [
-			{
-			    "Sid": "VisualEditor0",
-			    "Effect": "Allow",
-			    "Action": [
-				"iam:DeleteAccessKey",
-				"iam:GetAccessKeyLastUsed",
-				"iam:CreateAccessKey"
-			    ],
-			    "Resource": "arn:aws:iam::*:user/infisical/rotate/*"
-			}
-	    ]
-	}
-	```
-	<Info>
-	   The IAM policy mentioned above is configured with an IAM path of **/infisical/rotate**. 
-
-	   This implies that managing users must be positioned within this specified path.<br/>
-	   If modifying this path, ensure that corresponding adjustments are made in the subsequent steps when creating managed users. 
-
-	   During testing, you have the option to utilize the wildcard option **Resource: "*"**. However, it's crucial to refrain from using * in production environments.
-	</Info>
-
-	Create the managed user IAM
-
-	1. Create the IAM user in AWS with the above policy.
-	2. Then create the [AWS IAM User access key.](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey)
-  </Step>
-  <Step title="Create IAM Managed User">
-	This AWS IAM User is designated to manage credential rotations for infisical.
-	<Warning>
-		If this user already exists, ensure all other access keys associated with it are removed. AWS enforces a strict limit of 2 access keys per IAM User.
-	</Warning>
-
-	1. Go to the AWS IAM Section.
-	2. Select Users and then click on Create User.
-	3. Attach policies as required.
-
-	As mentioned in the previous step, if you've specified a path to control access for the manager user, you must also provide the path when creating the user here. 
-	
-	However, the AWS console does not support the path option for this purpose. You'll need to use either the CLI or AWS API to create a user with a specified path. 
-	
-	[Please refer to the AWS documentation for further guidance](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/).
-  </Step>
-</Steps>
-
-## Working
-
-1. Infisical connects your provided `manager aws iam` user.
-2. It will then create the new access key id and secret key for the `managed iam user`.
-3. Save the new credentials  to the mapped outputs in your secret board, so that rest of the systems can access it.
-4. The retired credentials gets deleted on each cycle.
-
-## Rotation Configuration
-
-<Steps>
-  <Step title="Open Secret Rotation Page">
-	Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar 
-  </Step>
-  <Step title="Click on AWS IAM Card" />
-  <Step title="Provide the inputs">
-![Secret Rotation Input](../../../images/secret-rotation/aws-iam-inputs.png)
-  	These are inputs required by AWS IAM Rotation Providers
-
-	- Manager User Access Key
-
-		AWS IAM Rotator user access key
-
-	- Manager User Secret Key 
-
-		AWS IAM Rotator user secret key
-
-	- Manager User AWS Region 
+		2.1. In your AWS console, head to IAM > Access management > Users and press **Create user**.
 		
-		IAM policies are global. But AWS needs to know a region to send requests to a partition.
+		![iam user secret rotation create user](../../../images/platform/secret-rotation/aws-iam/rotation-manager-create-user.png)
+		
+		2.2. Next, give the user a username like **infisical-rotation-manager** and press **Next**.
 
-	- IAM Username 
+		![iam user secret rotation username](../../../images/platform/secret-rotation/aws-iam/rotation-manager-username.png)
+		
+		2.3. Next, in the **Set permissions** step, select **Attach policies directly** and then press **Create policy**.
+		
+		![iam user secret rotation create policy](../../../images/platform/secret-rotation/aws-iam/rotation-manager-create-policy.png)
+		
+		2.4. Next, in the **Policy editor**, paste the following JSON and press **Next**:
 
-		AWS IAM User's username whose credentials are rotated
-  </Step>
-  <Step title="Configure the output secret mapping">
+		```json
+		{
+			"Version": "2012-10-17",
+			"Statement": [
+				{
+					"Sid": "VisualEditor0",
+					"Effect": "Allow",
+					"Action": [
+					"iam:DeleteAccessKey",
+					"iam:GetAccessKeyLastUsed",
+					"iam:CreateAccessKey"
+					],
+					"Resource": "*"
+				}
+			]
+		}
+		```
 
-![Secret Rotation Output](../../../images/secret-rotation/aws-iam-outputs.png)
+		<Note>
+			The IAM policy above uses the wildcard option in Resource: "*".
+			
+			You may want to restrict the policy to a specific path, and make any adjustments as necessary, to control access for the managing user in production.
+			
+			Read more about this [here](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/).
+		</Note>
+		
+		In the **Review and create** step, give the policy a name like **infisical-rotation-manager**, press **Create policy** to finish creating the policy.
+		
+		![iam user secret rotation policy review](../../../images/platform/secret-rotation/aws-iam/rotation-manager-policy-review.png)
 
-  	The secret keys to be replaced in the provided board after successful secret rotation
+		2.5. Back in the **Set permissions** step from step 2.3, refresh the policy list and search for the policy you just created from step 2.4.
+		
+		Select the policy and press **Next**.
+		
+		![iam user secret rotation attach policy](../../../images/platform/secret-rotation/aws-iam/rotation-manager-attach-policy.png)
+		
+		In the **Review and create** step, press **Create user** to finish creating the IAM user.
+		
+		![iam user secret rotation manager user review](../../../images/platform/secret-rotation/aws-iam/rotation-manager-user-review.png)
+		
+		2.5. Having created the user, head to its Security credentials > Access keys and press **Create access key**.
 
-	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
-	- Finally select the secrets in your provided board to replace with new secret after each rotation
+		Follow the subsequent steps to create the **access key** and **secret access key** credential pair for the user.
 
-		- IAM User Access Key
+		![iam user secret rotation manager create access key](../../../images/platform/secret-rotation/aws-iam/rotation-manager-create-access-key.png)
+		
+		At the end of the flow, copy the **Access key** and **Secret access key** to use when configuring the AWS IAM User rotation strategy back in Infisical next.
+	
+		![iam user secret rotation manager access keys](../../../images/platform/secret-rotation/aws-iam/rotation-manager-access-keys.png)
+	</Step>
+	<Step title="Configure the AWS IAM User secret rotation strategy in Infisical">
+		3.1. Back in Infisical, head to the Project > Secrets > Environment and path where you want the rotated AWS IAM credentials to appear and create two placeholder secrets.
+		
+		In this example, we'll create two secrets called `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`.
+		
+		![iam user secret rotation secrets](../../../images/platform/secret-rotation/aws-iam/rotation-config-secrets.png)
+		
+		3.2. Next, in the **Secret Rotation** tab, press on the **AWS IAM** tile to configure the AWS IAM User rotation strategy.
+		
+		![iam user secret rotation select aws iam user method](../../../images/platform/secret-rotation/aws-iam/rotations-select-aws-iam-user.png)
+		
+		3.3. Input the configuration details for the AWS IAM User rotation strategy obtained from steps 1 and 2:
+		
+		![iam user secret rotation config 1](../../../images/platform/secret-rotation/aws-iam/rotation-config-1.png)
+		
+		Here's some guidance on each field:
+		
+		- Manager User Access Key: The managing IAM user's access key from step 2.5.
+		- Manager User Secret Key: The managing IAM user's secret access key from step 2.5.
+		- Manager User AWS Region: The [AWS region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) for Infisical to make requests to such as `us-east-1`.
+		- IAM Username: The IAM username of the user from step 1.
+		
+		Next, specify the output secret mappings configuration for the rotated AWS IAM credentials; this is the secrets whose values will be replaced with new credentials after each rotation.
+		Here, you can also specify a rotation interval for the credentials to be automatically rotated periodically.
 
-			The rotated AWS IAM User access key id
-
-		- IAM User Secret Key
-
-			The rotated AWS IAM User secret key
-
-	- Your done and good to go.
-  </Step>
+		In this example, we want to map the output of the rotated AWS IAM credentials to the secrets that we created in step 3.1 (i.e. `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`).
+		
+		![iam user secret rotation config 2](../../../images/platform/secret-rotation/aws-iam/rotation-config-2.png)
+		
+		Finally, press **Submit** to create the secret rotation strategy.
+	</Step>
+	<Step title="Rotate secrets in Infisical">
+		You should now see the AWS IAM User rotation strategy listed in the **Secret Rotation** tab.
+		
+		To manually trigger a rotation, you can press the **Rotate** button on the strategy.
+		Once triggered, the secrets in step 3.1 should be updated with new rotated credential values.
+		
+		![iam user secret rotations aws iam user](../../../images/platform/secret-rotation/aws-iam/rotations-aws-iam-user.png)
+	</Step>
 </Steps>
 
-Congratulations. You have improved your AWS IAM User security.
+**FAQ**
+
+<AccordionGroup>
+<Accordion title="Why are my AWS IAM credentials not rotating?">
+  There are a few reasons for why this might happen:
+  
+  - The strategy configuration is invalid (e.g. the managing IAM user's credentials are incorrect, the target IAM username is incorrect, etc.).
+  - The managing IAM user is insufficently permissioned to rotate the credentials of the target IAM user. For instance, you may have setup [paths](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) for the managing IAM user and the policy does not have the necessary permissions to rotate the credentials.
+  - The target IAM user already has 2 access keys configured in AWS; you should delete one of the access keys to allow for rotation.
+</Accordion>
+</AccordionGroup>