Amazon Web Services
General Reference (Version 1.0)

How Do I Get Security Credentials?

If you forget or lose your credentials, you cannot recover them. For security reasons, AWS doesn't allow you to retrieve your passwords or secret access keys and does not store the private keys that are part of a key pair. However, you can create new credentials and then disable or delete the old credentials.


Security credentials are account specific. If you have access to multiple AWS accounts, use the credentials that are associated with the account that you want to access.

Getting AWS root account credentials is different than getting IAM user credentials. For AWS root account credentials, you get credentials, such as access keys or key pairs, by going to the Security Credentials page in the AWS Management Console. For IAM user credentials, you get credentials from the IAM console. The following list describes how you can get each type of credential for the AWS root account or for an IAM user.

Email address and password

The email address and password are specified when the AWS account was created. You can change the email address and password on the Security Credentials page.

IAM user name and password

You specify user names when you create them. After you create users, you can create passwords for each user. For more information, see Managing Passwords for IAM Users in the IAM User Guide.


IAM users can manage their own password but only if they have been given permission to do so. For more information, see Permitting IAM Users to Change Their Own Password in the IAM User Guide.

Access keys (access key ID and secret access key)

For AWS account access keys (root users), you can create access keys for the account. You can have a maximum of two access keys (active or inactive) at a time.

To create new access keys for a root user

  1. Go to the Security Credentials page in the AWS Management Console.

  2. When prompted, choose Continue to Security Credentials.

  3. Choose Access Keys (Access Key ID and Secret Access Key).

  4. Choose Create New Access Key, and then choose Show Access Key or Download Key File to retrieve the credentials.

For IAM users, you can create IAM access keys with the IAM console. For more information, see Creating, Modifying, and Viewing User Access Keys in the IAM User Guide.


If you or your IAM users forget or lose the secret access key, you can create a new access key pair.


By default, MFA (multi-factor authentication) is not enabled. You can enable and manage MFA devices for the AWS root account by going to the Security Credentials page or the IAM dashboard in the AWS Management Console. For more information about enabling MFA for IAM users, see Setting Up an MFA Device in the IAM User Guide.


AWS recommends that you require MFA on the root account credentials and highly privileged IAM users for additional security.

Key pairs

AWS does not provide key pairs for your account; you must create them.

You can create Amazon EC2 key pairs from the Amazon EC2 console, CLI, or API. For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

You create Amazon CloudFront key pairs from the Security Credentials page. Only the root account (not IAM users) can create CloudFront key pairs. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.