Menu
Amazon Web Services
General Reference (Version 1.0)

Understanding and Getting Your Security Credentials

You use different types of security credentials depending on how you interact with AWS. For example, you use a user name and password to sign in to the AWS Management Console. You use access keys to make programmatic calls to AWS API actions.

If you forget or lose your credentials, you can't recover them. For security reasons, AWS doesn't allow you to retrieve your passwords or secret access keys and does not store the private keys that are part of a key pair. However, you can create new credentials and then disable or delete the old credentials.

Note

Security credentials are account specific. If you have access to multiple AWS accounts, use the credentials that are associated with the account that you want to access.

Getting AWS root account credentials is different than getting IAM user credentials. For AWS root account credentials, you get credentials, such as access keys or key pairs, from the Security Credentials page in the AWS Management Console. For IAM user credentials, you get credentials from the IAM console.

The following list describes the types of AWS security credentials, when you might use them, and how to get each type of credential for the AWS root account or for an IAM user.

Email and password (account root user)

When you sign up for AWS, you provide an email address and password that is associated with your AWS account. You use these credentials to sign in to AWS web pages such as the AWS Management Console, AWS discussion forums, or AWS support center. The account email address and password are root-level credentials, and anyone who uses these credentials has full access to all resources in the account. We recommend that you can use an IAM user name and password to sign in to AWS web pages. For more information, see Root Account Credentials vs. IAM User Credentials.

The email address and password are specified when the AWS account was created. You can change the email address and password on the Security Credentials page. You can also choose Forgot your password? on the AWS sign in page to reset your password.

IAM user name and password

When multiple individuals or applications require access to your AWS account, AWS Identity and Access Management (IAM) lets you create unique IAM user identities. Users can use their own user names and passwords to sign in to the AWS Management Console, AWS discussion forums, or AWS support center. In some cases, an IAM user name and password are required to use a service, such as sending email with SMTP by using Amazon Simple Email Service (Amazon SES).

For more information about IAM users, see Identities (Users, Groups, and Roles) in the IAM User Guide.

You specify user names when you create them. After you create users, you can create passwords for each user. For more information, see Managing Passwords for IAM Users in the IAM User Guide.

Note

IAM users can manage their own password but only if they have been given permission. For more information, see Permitting IAM Users to Change Their Own Password in the IAM User Guide.

Multi-Factor Authentication (MFA)

AWS Multi-Factor Authentication (AWS MFA) provides an extra level of security that you can apply to your AWS account. With AWS MFA enabled, when you sign in to an AWS website, you are prompted for your user name and password, and an authentication code from an MFA device. Together, they provide increased security for your AWS account settings and resources.

By default, MFA (multi-factor authentication) is not enabled. You can enable and manage MFA devices for the AWS root account by going to the Security Credentials page or the IAM dashboard in the AWS Management Console. For more information about enabling MFA for IAM users, see Enabling MFA Devices in the IAM User Guide.

Note

For additional security, we recommend that you require MFA on the root account credentials and highly privileged IAM users. For more information, see Using Multi-Factor Authentication (MFA) Devices with AWS in the IAM User Guide.

Access keys (access key ID and secret access key)

Access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to sign programmatic requests that you make to AWS if you use the AWS SDKs, REST, or Query APIs. The AWS SDKs use your access keys to sign requests for you, so that you don't have to handle the signing process. You can also sign requests manually. For more information, see Signing AWS API Requests.

Access keys are also used with command line interfaces (CLIs). When you use a CLI, the commands that you issue are signed by your access keys, which you can either pass with the command or store as configuration settings on your computer.

You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they are short-term. After they expire, they're no longer valid. You can use temporary access keys in less secure environments or distribute them to grant users temporary access to resources in your AWS account. For example, you can grant entities from other AWS accounts access to resources in your AWS account (cross-account access) or grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see Temporary Security Credentials in the IAM User Guide.

You can have a maximum of two access keys (active or inactive) at a time. For your AWS (root) account, see Managing Access Keys for your AWS Account. For IAM users, you can create IAM access keys with the IAM console. For more information, see Creating, Modifying, and Viewing User Access Keys (AWS Management Console) in the IAM User Guide.

Important

If you or your IAM users forget or lose the secret access key, you can create a new access key pair.

Key pairs

Key pairs consist of a public key and a private key. You use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.

For Amazon EC2, you use key pairs to access Amazon EC2 instances, such as when you use SSH to log in to a Linux instance. For more information, see Connect to Your Linux Instances in the Amazon EC2 User Guide for Linux Instances.

For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when you want to distribute restricted content that someone paid for. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.

AWS does not provide key pairs for your account; you must create them. You can create Amazon EC2 key pairs from the Amazon EC2 console, CLI, or API. For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

You create Amazon CloudFront key pairs from the Security Credentials page. Only the root account (not IAM users) can create CloudFront key pairs. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.