If you decide that it is necessary to change your access keys, the security credentials page (available from your account page at the Amazon Web Services web site at http://aws.amazon.com) enables you to create a second set, and allows you to activate and deactivate the sets independently, as shown in the figure.

With both sets active, you can propagate the new set to your applications over time, maintaining the high security that signing provides. Since both sets are valid, you don't have to take your entire application down to incorporate the new keys. When the distribution is complete you can deactivate the old set.