Menu
Amazon Web Services
General Reference (Version 1.0)

Understanding and Getting Your Security Credentials

You use different types of security credentials depending on how you interact with AWS. For example, you use a user name and password to sign in to the AWS Management Console. You use access keys to make programmatic calls to AWS API operations.

If you forget or lose your credentials, you can't recover them. For security reasons, AWS doesn't allow you to retrieve your passwords or secret access keys and does not store the private keys that are part of a key pair. However, you can create new credentials and then disable or delete the old credentials.

Note

Security credentials are account specific. If you have access to multiple AWS accounts, use the credentials that are associated with the account that you want to access.

Getting AWS account root user credentials is different than getting IAM user credentials. For root user credentials, you get credentials, such as access keys or key pairs, from the Security Credentials page in the AWS Management Console. For IAM user credentials, you get credentials from the IAM console.

The following list describes the types of AWS security credentials, when you might use them, and how to get each type of credential for the AWS account root user or for an IAM user.

Email and Password (Root User)

When you sign up for AWS, you provide an email address and password that is associated with your AWS account. You use these AWS account root user credentials to sign in to AWS webpages such as the AWS Management Console, AWS discussion forums, or AWS Support center. The account email address and password are root-level credentials, and anyone who uses these credentials has full access to all resources in the account. We recommend that you can use an IAM user name and password to sign in to AWS webpages. For more information, see AWS Account Root User Credentials vs. IAM User Credentials.

You can change the email address and password on the Security Credentials page. You can also choose Forgot password? on the AWS sign-in page to reset your password.

IAM User Name and Password

When multiple individuals or applications require access to your AWS account, AWS Identity and Access Management (IAM) lets you create unique IAM user identities. Users can use their own user names and passwords to sign in to the AWS Management Console, AWS discussion forums, or AWS Support center. In some cases, an IAM user name and password are required to use a service, such as sending email with SMTP by using Amazon Simple Email Service (Amazon SES).

For more information about IAM users, see Identities (Users, Groups, and Roles) in the IAM User Guide.

You specify user names when you create them. After you create users, you can create passwords for each user. For more information, see Managing Passwords for IAM Users in the IAM User Guide.

Note

IAM users can manage their own password but only if they have been given permission. For more information, see Permitting IAM Users to Change Their Own Password in the IAM User Guide.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) provides an extra level of security that you can apply to your AWS account. For additional security, we recommend that you require MFA on the account root user credentials and highly privileged IAM users. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

With MFA enabled, when you sign in to the AWS website, you are prompted for your user name and password, and an authentication code from an MFA device. Together, they provide increased security for your AWS account settings and resources.

By default, MFA (multi-factor authentication) is not enabled. You can enable and manage MFA devices for the AWS account root user by going to the Security Credentials page or the IAM dashboard in the AWS Management Console. For more information about enabling MFA for IAM users, see Enabling MFA Devices in the IAM User Guide.

Access Keys (Access Key ID and Secret Access Key)

Access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to sign programmatic requests that you make to AWS if you use the AWS SDKs, REST, or Query API operations. The AWS SDKs use your access keys to sign requests for you, so that you don't have to handle the signing process. You can also sign requests manually. For more information, see Signing AWS API Requests.

Access keys are also used with command line interfaces (CLIs). When you use a CLI, the commands that you issue are signed by your access keys. You can pass access keys either with the command or store as configuration settings on your computer.

You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they are short term. After they expire, they're no longer valid. You can use temporary access keys in less secure environments or distribute them to grant users temporary access to resources in your AWS account. For example, you can grant entities from other AWS accounts access to resources in your AWS account (cross-account access). You can also grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see Temporary Security Credentials in the IAM User Guide.

You can have a maximum of two access keys (active or inactive) at a time. For your AWS (root) account, see Managing Access Keys for Your AWS Account. For IAM users, you can create IAM access keys with the IAM console. For more information, see Creating, Modifying, and Viewing Access Keys (AWS Management Console) in the IAM User Guide.

Important

If you or your IAM users forget or lose the secret access key, you can create a new access key.

Key Pairs

Key pairs consist of a public key and a private key. You use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.

For Amazon EC2, you use key pairs to access Amazon EC2 instances, such as when you use SSH to log in to a Linux instance. For more information, see Connect to Your Linux Instances in the Amazon EC2 User Guide for Linux Instances.

For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when you want to distribute restricted content that someone paid for. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.

AWS does not provide key pairs for your account; you must create them. You can create Amazon EC2 key pairs from the Amazon EC2 console, CLI, or API. For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

You create Amazon CloudFront key pairs from the Security Credentials page. Only the AWS account root user (not IAM users) can create CloudFront key pairs. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.