AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Credentials (Passwords, Access Keys, MFA, and Certificates)

This section describes how to administer your users' credentials in IAM—that is, their passwords, access keys, certificates, and multi-factor authentication (MFA) devices.

To access your AWS account resources, users must have credentials. To use the AWS Management Console, users must have a password. To use the command line interface (CLI) or to make API calls, users must have an access key (an access key ID and secret access key). Users who access your resources only through the API or CLI do not need a password.

For extra security, you can enable multi-factor authentication (MFA) for users. MFA adds security by requiring users to enter an authentication code from a hardware device or virtual device in addition to providing a password or access key.

The following list describes the options for how to administer passwords, access keys, user certificates, and MFA devices.

Change your AWS account password.

You can change the password for the AWS account owner. You must be signed in as the account owner.

For more information, see Changing Your AWS Account Password.

Set a password policy for IAM users in the account.

You can require that IAM users create passwords that contain certain characters, are of a minimum length, are changed after a specified period of time, and so on.

For more information, see Setting an Account Password Policy for IAM Users.

Administer passwords, access keys, certificates, and MFA devices for IAM users, either as account owner or as a privileged IAM user.

An account owner or an IAM user who has the appropriate permissions can create, change, and delete passwords, access keys, certificates, and MFA devices for other IAM users.

For information about the permissions that an IAM user must have to perform these actions, see Permissions for Administering IAM Users, Groups, and Credentials.

Let all IAM users change their own passwords.

You can set a password policy that, among other things, lets all IAM users change their own passwords using the AWS Management Console. After you enable this option, users can sign in to the AWS Management Console and go to a special page to change their password.

Note the following about using this option in your password policy:

  • You can allow users to change their own passwords, but not administer their own access keys.

  • You can allow all users to change their own passwords, or no users. You cannot allow only a subset of users to change their passwords.

For more information, see Setting an Account Password Policy for IAM Users.

Let selected IAM users administer their own passwords, access keys, and certificates.

Even if you don't want to allow all IAM users to administer their own passwords, you can let selected users administer their own passwords and access keys. This option differs from the previous one in these ways:

  • It lets you specify a subset of users who can administer their own passwords.

  • You can let users administer both their password and their access keys. (The account-wide setting lets users reset only their passwords.)

For this option, you do the following:

  • Create an IAM group and add users to it who have this privilege.

  • Set permissions on the group that let users manage their passwords, their access keys, their certificates, or all of those.

For more information about setting these permissions, see Permissions for Administering IAM Users, Groups, and Credentials.

Administer MFA for the AWS account.

When multi-factor authentication (MFA) is enabled, you must retrieve an authentication code from a hardware device or virtual device before you can sign in to your account using the AWS Management Console.

For more information, see Configuring and Managing a Virtual MFA Device for Your AWS Account (AWS Management Console).

For general information about multi-factor authentication (MFA), see Using Multi-Factor Authentication (MFA) Devices with AWS.

Let users administer their own MFA device.

If users work with hardware-based MFA devices, an administrator typically manages the devices and enables MFA for individual IAM users. If users work with virtual devices (such as an app on their own smartphone app), they typically manage the device themselves. IAM users who manage MFA for themselves or for others must have permissions to do so.

For more information, see Configuring and Enabling a Virtual MFA Device for a User.

For general information about multi-factor authentication (MFA), see Using Multi-Factor Authentication (MFA) Devices with AWS.

Learn best practices for managing access keys.

Anyone who has access keys for your account or for IAM users in your account has access to your AWS resources. Here is a set of best practices to help you protect your access keys.

Download a credential report for your account.

You can generate and download a credential report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, MFA devices, and signing certificates. For passwords, the credential report shows how recently a password has been used.

For more information about IAM credential reports, see Getting Credential Reports for Your AWS Account.