Amazon Web Services
General Reference (Version 1.0)

Managing Access Keys for your AWS Account

This section explains how to create, rotate, disable, or delete access keys (access key IDs and secret access keys) for your AWS (root) account. Anyone who has the access key for your AWS account has unrestricted access to all the resources in your account, including billing information.


We recommend that you not have an access key for your root account. Instead, we recommend that you create one or more AWS Identity and Access Management (IAM) users, give them the necessary permissions, and use IAM users for everyday interaction with AWS. For more information, see IAM Best Practices in the IAM User Guide guide. For more information about why you should not have root access keys, see Remove (or Don't Generate) a Root Account Access Key in Best Practices for Managing AWS Access Keys.

When you create an access key, AWS displays the access key ID and a secret access key. To ensure the security of your AWS account, the secret access key is displayed only one time, when you create the access key. If a secret key is lost, you can delete the access key and then create a new key.

By default, when you create an access key, its status is Active, which means you can use the access key for API calls. Each AWS account can have two sets of access keys, which is useful when you rotate the access keys. You can disable an access key, which means it can't be used for API calls. You might do this while you're replacing your root access key with an IAM user access key.

You can delete an access key at any time. However, when you delete an access key, it's gone forever and cannot be retrieved. You can create new access keys at any time.

Creating, Disabling, and Deleting Access Keys for your AWS Account

To create, disable, or delete an access key for your AWS (root) account

  1. Use your AWS account email address and password to sign in to the AWS Management Console.


    If you previously signed in to the console with IAM user credentials, your browser might open your IAM user sign-in page. You cannot use the user sign-in page to sign in with your root credentials. Instead, click Sign in using AWS Account credentials near the bottom of the page to go to the account sign-in page.

  2. In the upper-right corner of the console, click the arrow next to the account name or number and then click Security Credentials.

  3. On the AWS Security Credentials page, expand the Access Keys (Access Key ID and Secret Access Key) section.

  4. Click Create New Access Key. Note that you can have a maximum of two access keys (active or inactive) at a time.

  5. Click Download Key File to save the access key ID and secret access key to a .csv file on your computer. You will not have access to this secret access key again after this dialog box closes.

  6. To disable an access key, for example, when you are rotating your access keys, click Make Inactive. AWS requests signed with inactive access keys will be rejected by AWS. To re-enable the key, click Make Active.

  7. To delete an access key, click Delete. To confirm that the access key was deleted, look for Deleted in the Status column.


    Before you delete an access key, make sure it is no longer in use. You cannot recover a deleted access key.