AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Credentials (Passwords, Access Keys, MFA, and Certificates)

This section describes how to work with credentials in IAM—passwords, access keys, certificates, and MFA.

To access your AWS account resources, users must have credentials. To use the AWS Management Console, users must have a password; to use the command-line interface or to make API calls, users must have an access key—an access key ID and secret access key. (Users who access your resources only through the API or command line interface do not need a password.)

For extra security, you can enable multi-factor authentication (MFA) for users. MFA adds extra security by requiring users to enter an authentication code from a hardware device or virtual device in addition to providing a password or access key.

The following table lists options for how to administer passwords, access keys, user certificates, and MFA devices.

Options for administering passwords, access keys, credentials, and MFA devices

Task

Description

Links

Change your account password.

You can change the password for the account's root user. You must be signed in as the account owner.

Changing Your AWS Account Password

Set a password policy for IAM users in the account.

You can specify that IAM user passwords must contain certain characters, be of a minimum length, etc.

Setting an Account Password Policy for IAM Users

Administer passwords, access keys, and certificates for IAM users either as account owner or as privileged IAM user.

An account owner or an IAM user who has permissions can create, change, and delete passwords, access keys, and certificates for other IAM users.

For details about how to administer IAM user credentials, see Letting IAM Users Change Their Own Passwords

For information about the permissions that an IAM user must have, see Permissions for Administering IAM Users, Groups, and Credentials

Let all IAM users change their own passwords.

You can set a password policy that lets all IAM users change their own passwords using the AWS Management Console. This option does not require that you attach special permissions to the user. After you enable this option, users can sign into the AWS Management Console and go to a special page for resetting a password.

Note the following about this option:

  • It does not let users administer their own access keys, only passwords.

  • It does not let you give this permission to some users but not others; all users are allowed to change their passwords.

Setting an Account Password Policy for IAM Users

Let selected IAM users administer their own passwords, access keys, and certificates.

Even if you don't want to allow all IAM users to administer their own passwords, you can let selected users administer their own passwords and access keys. This option differs from the previous one in that a) it lets you specify a subset of users who can administer their own passwords, and b) you can let users administer both their password and their access keys. (The account-wide setting lets users reset only their passwords.)

For this option, you do the following:

Permissions for Administering IAM Users, Groups, and Credentials

Administer MFA for the AWS account

When MFA is enabled, you must have an authentication code from a hardware device or virtual device before you can sign in to your account using the AWS Management Console.

Configuring and Managing a Virtual MFA Device for Your AWS Account (AWS Management Console)

(General MFA information) Using Multi-Factor Authentication (MFA) Devices with AWS

Let users administer their own MFA device.

If users work with hardware-based MFA devices, an administrator typically manages the devices and enables MFA for individual IAM users. If users work with virtual devices (such as an app on their own smartphone app), they typically manage the device themselves. IAM users who manage MFA for themselves or for others must have permissions to do so.

Configuring and Enabling a Virtual MFA Device for a User

(General MFA information) Using Multi-Factor Authentication (MFA) Devices with AWS