Amazon Web Services
General Reference (Version 1.0)

Managing Access Keys for your AWS Account

You can create, rotate, disable, or delete access keys (access key IDs and secret access keys) for your AWS (root) account. Anyone who has the access key for your AWS account has unrestricted access to all the resources in your account, including billing information.


Unless you are performing a task that requires the account root user (which is very rare — most tasks can be performed by an IAM user with administrative permissions), we recommend that you delete any root access keys and instead create an administrative AWS Identity and Access Management (IAM) user for your everyday interaction with AWS. For a tutorial on how to create this user, see Creating Your First IAM User and Administrators Group in the IAM User Guide. For more information, see IAM Best Practices and Lock away your AWS account (root) access keys.

When you create an access key, AWS displays the access key ID and a secret access key. To ensure the security of your AWS account, the secret access key is displayed only once. If a secret key is lost, you can delete the access key, and then create a new key.

By default, when you create an access key the status is Active, which means you can use the access key for API calls. Each AWS account and IAM user can have two sets of access keys, which is useful when you rotate the access keys. You can disable an access key, so that it can't be used for API calls.

You can create or delete an access key any time. However, when you delete an access key, it's gone forever and can't be retrieved.

Creating, Disabling, and Deleting Access Keys for your AWS Account

To create, disable, or delete an access key for your AWS (root) account

  1. Use your AWS account email address and password to sign in to the AWS Management Console.


    If you previously signed in to the console with IAM user credentials, your browser might open your IAM user sign-in page. You can't use the user sign-in page to sign in with your root credentials. Instead, choose Sign in using AWS Account credentials near the bottom of the page to go to the account sign-in page.

  2. In the upper right of the console, choose the account name or number and then choose Security Credentials.

  3. On the AWS Security Credentials page, expand the Access Keys (Access Key ID and Secret Access Key) section.

  4. Choose Create New Access Key. You can have a maximum of two access keys (active or inactive) at a time.

  5. Choose Download Key File to save the access key ID and secret access key to a .csv file on your computer. After you close the dialog box, you can't retrieve this secret access key again.

  6. To disable an access key, choose Make Inactive. AWS denies requests signed with inactive access keys. To re-enable the key, choose Make Active.

  7. To delete an access key, choose Delete. To confirm that the access key was deleted, look for Deleted in the Status column.


    Before you delete an access key, make sure it is no longer in use. You can't recover a deleted access key.