Credentials (Passwords, Access Keys, and MFA devices)
AWS offers many strategies to help you administer your users' credentials in IAM—that is, their passwords, access keys, and multi-factor authentication (MFA) devices.
To access your AWS account resources, users must have credentials. To use the AWS Management Console, users must have a password. To use the AWS Command Line Interface (AWS CLI), or the Tools for Windows PowerShell, or to make API calls, users must have an access key (an access key ID and secret access key). Users who access your resources only through the API, CLI, or PowerShell do not need a password.
For extra security, you can enable multi-factor authentication (MFA) for users. To add security, MFA requires users to enter an authentication code from a hardware device or virtual device and provide a password or access key as well.
Take advantage of the following options to administer passwords, access keys, and MFA devices:
Manage passwords for your AWS root account and IAMusers. Create and change the passwords that permit access to the AWS Management Console. Set a password policy to enforce a minimum password complexity. Allow users to change their own passwords.
Manage access keys for your AWS root account and IAM users. Create and update access keys for programmatic access to the resources in your account.
Enable multi-factor authentication (MFA) for the AWS account. When MFA is enabled, you must retrieve an authentication code from a hardware device or virtual device before you can sign in to your account from the AWS Management Console.
Find unused passwords and access keys. Anyone who has a password or access keys for your account or an IAM user in your account has access to your AWS resources. The security best practice is to remove passwords and access keys when users no longer need them.
Download a credential report for your account. You can generate and download a credential report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. For passwords and access keys, the credential report shows how recently the password or access key has been used.
Generate temporary security credentials for your applications and users. Temporary credentials improve the security of your account by issuing credentials to approved applications when needed, which removes the need to embed and rotate long term credentials in your code. Temporary credentials are also the foundation of IAM roles and allow access to users from external identity providers.