Best Practices for Managing AWS Access Keys
When you access AWS programmatically, you use an access key to verify your identity and
the identity of your applications. An access key consists of an access key ID (something like
AKIAIOSFODNN7EXAMPLE) and a secret access key (something like
Anyone who has your access key has the same level of access to your AWS resources that you do. Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well.
The steps that follow can help you protect access keys. For general background, see AWS Security Credentials.
Your organization may have different security requirements and policies than those described in this topic. The suggestions provided here are intended to be general guidelines.
Remove (or Don't Generate) a Root Account Access Key
An access key is required in order to sign requests that you make using the AWS Command Line Tools, the AWS SDKs, or direct API calls. Anyone who has the access key for your root account has unrestricted access to all the resources in your account, including billing information. You cannot restrict the permissions for your root account.
One of the best ways to protect your account is to not have an access key for your root account. Unless you must have a root access key (which is very rare), it is best not to generate one. Instead, the recommended best practice is to create one or more AWS Identity and Access Management (IAM) users, give them the necessary permissions, and use IAM users for everyday interaction with AWS.
If you already have an access key for your account, we recommend that you find places in your applications where you are currently using that key (if any), replace the root access key with an IAM user access key, and then disable and remove the root access key. For details about how to substitute one access key for another, see the post How to rotate access keys for IAM users on the AWS Security Blog.
By default, AWS does not generate an access key for new accounts.
For information about how to create an IAM user with administrative permissions, see Creating an Administrators Group Using the Console in the IAM User Guide guide.
Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys
In many scenarios, you don't need a long-term access key that never expires (as you have with an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials consist of an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire.
Long-term access keys, such as those associated with IAM users and AWS accounts (root), remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time. Use temporary security credentials to help reduce your risk in case credentials are accidentally exposed.
Use an IAM role and temporary security credentials in these scenarios:
You have an application or AWS CLI scripts running on an Amazon EC2 instance. Do not pass an access key to the application, embed it in the application, or have the application read a key from a source such as an Amazon S3 bucket (even if the bucket is encrypted). Instead, define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get temporary security credentials that it can in turn use to make AWS calls. The AWS SDKs and the AWS CLI can get temporary credentials from the role automatically.
You need to grant cross-account access. Use an IAM role to establish trust between accounts, and then grant users in one account limited permissions to access the trusted account. For more information, see Walkthrough: Delegating Access Across AWS Accounts Using IAM Roles in the IAM User Guide guide.
You have a mobile app. Do not embed an access key with the app, even in encrypted storage. Instead, use Amazon Cognito to manage user identity in your app. This service lets you authenticate users using Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)–compatible identity provider. You can then use the Amazon Cognito credentials provider to manage credentials that your app uses to make requests to AWS. For more information, see Using the Amazon Cognito Credentials Provider on the AWS Mobile Development blog.
You want to federate into AWS and your organization supports SAML 2.0. If you work for an organization that has an identity provider that supports SAML 2.0, configure the provider to use SAML to exchange authentication information with AWS and get back a set of temporary security credentials. For more information, see Using Your Organization's Authentication System and SAML to Grant Access to AWS Resources in the Using Temporary Security Credentials guide.
You want to federate into AWS and your organization has an on-premises identity store. If users can authenticate inside your organization, you can write an application that can issue them temporary security credentials for access to AWS resources. For more information, see Using Your Organization's Authentication System to Grant Access to AWS Resources in the Using Temporary Security Credentials guide.
Manage IAM User Access Keys Properly
If you do need to create access keys for programmatic access to AWS, create an IAM user and grant that user only the permissions he or she needs. Then generate an access key for that user. For details, see Managing Access Keys for IAM Users in the IAM User Guide guide.
Remember that if you are running an application on an Amazon EC2 instance and the application needs access to AWS resources, you should use IAM roles for EC2, as described in the previous section.
Observe these precautions when using access keys:
Put access keys in one of the following locations:
The AWS credentials file. The AWS SDKs and AWS CLI automatically use the credentials that you store in the AWS credentials file.
For information about using the AWS credentials file, see the documentation for your SDK. Examples include Set Up your AWS Credentials for Use with the SDK for Java in the AWS SDK for Java Developer Guide and Configuration and Credential Files in the AWS Command Line Interface User Guide.
To store credentials for the AWS SDK for .NET and the AWS Tools for Windows PowerShell, we recommend you use the SDK Store. For more information, see Using the SDK Store in the AWS SDK for .NET Developer Guide.
Environment variables. On a multitenant system, choose user environment variables, not system environment variables.
For more information about using environment variables to store credentials, see Environment Variables in the AWS Command Line Interface User Guide.
Use different access keys for different applications. Do this so that you can isolate the permissions and revoke the access keys for individual applications if an access key is exposed. Having separate access keys for different applications also generates distinct entries in AWS CloudTrail log files, which makes it easier for you to determine which application performed specific actions.
Rotate access keys periodically. Change access keys on a regular basis. For details, see Rotating Access Keys (AWS CLI and API) in the IAM User Guide guide and How to rotate access keys for IAM users on the AWS Security Blog.
Remove unused access keys. If a user leaves your organization, remove the corresponding IAM user so that the user's access to your resources is removed. To find out when an access key was last used, use the
GetAccessKeyLastUsedAPI (AWS CLI command:
aws iam get-access-key-last-used).
Configure multifactor authentication for your most sensitive operations. For details, see Using Multifactor Authentication (MFA) Devices with AWS in the IAM User Guide guide.
For more information about best practices for keeping your AWS account secure, see the following resources:
IAM Best Practices. This topic presents a list of suggestions for using the AWS Identity and Access Management (IAM) service to help secure your AWS resources.
The following pages provide guidance for setting up the AWS SDKs and the AWS CLI to use access keys.
Set Up your AWS Credentials for Use with the SDK for Java in the AWS SDK for Java Developer Guide.
Using the SDK Store in the AWS SDK for .NET Developer Guide.
Providing Credentials to the SDK in the AWS SDK for PHP Developer Guide.
Credentials in the boto (Python) documentation.
Using AWS Credentials in the AWS Tools for Windows PowerShell guide.
Configuration and Credential Files in the AWS Command Line Interface User Guide.
Tutorial: Grant Access Using an IAM Role and the AWS SDK for .NET. This walkthrough discusses how programs written using the .NET SDK can automatically get temporary security credentials when running on an Amazon EC2 instance. Similar topics are available for the AWS SDK for Java and the AWS SDK for Ruby.