Amazon Web Services
General Reference (Version 1.0)

Types of Security Credentials

You use different types of security credentials depending on how you interact with AWS. For example, to use the AWS Management Console, you use a user name and password to sign in to the console. In contrast, to make programmatic calls to AWS API actions, you use access keys. The following list summarizes the different types of AWS security credentials and when you might use each one.

Email address and password

When you sign up for AWS, you provide an email address and password that is associated with your AWS account. You use these credentials to sign in to secure AWS web pages like the AWS Management Console, AWS Discussion Forums, or AWS Support Center. The account email address and password are root-level credentials, meaning anyone who uses these credentials has full access to all resources in the account. We recommend instead that you can use an IAM user name and password to sign in to AWS web pages. For more information, see Root Account Credentials vs. IAM User Credentials.

IAM user name and password

When multiple individuals or applications require access to your AWS account, AWS Identity and Access Management (IAM) lets you create unique IAM user identities. Each user can use his or her own user names and passwords to sign in to the AWS Management Console, AWS Discussion Forums, or AWS Support Center. In some cases, an IAM user name and password are required to use a service, such as sending email with SMTP by using Amazon Simple Email Service.

For more information about IAM users, see Users and Groups in IAM User Guide.

Multi-Factor Authentication (MFA)

AWS Multi-Factor Authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. With AWS MFA enabled, when you sign in to an AWS website, you are prompted for your user name and password, as well as for an authentication code from an MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources. You can enable MFA for the root account and for IAM users. For more information, see Using Multi-Factor Authentication (MFA) Devices with AWS in IAM User Guide.

Access keys (access key ID and secret access key)

Access keys consist of an access key ID (like AKIAIOSFODNN7EXAMPLE) and a secret access key (like wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to sign programmatic requests that you make to AWS whether you're using the AWS SDK, REST, or Query APIs. The AWS SDKs use your access keys to sign requests for you so that you don't have to handle the signing process. If you're unable to use the AWS SDK, you can sign requests manually. For more information, see Signing AWS API Requests.

Access keys are also used with command line interfaces (CLIs). When you use a CLI, the commands that you issue are signed by your access keys, which you can either pass with the command or store as configuration settings on your computer.

You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret access key, temporary security credentials include a security token that you must submit to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they have a limited life (after they expire, they're no longer valid), so you can use them in less secure environments or distribute them to grant users temporary access to resources in your AWS account. For example, you can use temporary security credentials to grant entities from other AWS accounts access to resources in your AWS account (cross-account access) or grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see Using Temporary Security Credentials in the IAM User Guide.

Key pairs

Key pairs consist of a public and private key, where you use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.

For Amazon EC2, you use key pairs to access Amazon EC2 instances, such as when you use SSH to log in to a Linux instance. For more information, see Connecting to Amazon EC2 Instances in the Amazon EC2 User Guide for Linux Instances.

For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when you want to distribute restricted content that someone paid for. For more information, see Serving Private Content through CloudFront in Amazon CloudFront Developer Guide