Managing access keys for IAM users
If you found this page because you are looking for information about the Product
Advertising API to sell Amazon products on your website, see the Product Advertising API 5.0
Documentation
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). For more information, see Signing AWS API Requests in the Amazon Web Services General Reference.
Access keys consist of two parts: an access key ID (for example,
AKIAIOSFODNN7EXAMPLE
) and a secret access key (for example,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
). Like a user name and password, you must use both the
access key ID and secret access key together to authenticate your requests. Manage your access
keys as securely as you do your user name and password.
Do not provide your access keys to a third party, even to help find your canonical user ID. By doing this, you might give someone permanent access to your account.
As a best practice, use temporary security credentials (IAM roles) instead of access keys, and disable any AWS account root user access keys. For more information, see Best Practices for Managing AWS Access Keys in the Amazon Web Services General Reference.
If you still need to use long-term access keys, you can create, modify, view, or rotate your access keys (access key IDs and secret access keys). You can have a maximum of two access keys. This allows you to rotate the active keys according to best practices.
When you create an access key pair, save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must delete the access key and create a new one. For more details, see Resetting lost or forgotten passwords or access keys for AWS.
Topics
Permissions required
To create access keys for your own IAM user, you must have the permissions from the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:GetUser", "iam:ListAccessKeys" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
To rotate access keys for your own IAM user, you must have the permissions from the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetAccessKeyLastUsed", "iam:GetUser", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
Managing access keys (console)
You can use the AWS Management Console to manage an IAM user's access keys.
To create, modify, or delete your own IAM user access keys (console)
-
Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console
. Note For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
To get your AWS account ID, contact your administrator.
-
In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
-
Expand the Access keys (access key ID and secret access key) section.
-
Do any of the following:
-
To create an access key, choose Create New Access Key. If this feature is disabled, then you must delete one of the existing keys before you can create a new one. A warning explains that you have only this one opportunity to view or download the secret access key. To copy the key to paste it somewhere else for safekeeping, choose Show Access Key. To save the access key ID and secret access key to a
.csv
file to a secure location on your computer, choose Download Key File. -
To disable an active access key, choose Make Inactive.
-
To reenable an inactive access key, choose Make Active.
-
To delete your access key, choose Delete. AWS recommends that before you do this, you first deactivate the key and test that it’s no longer in use. When you use the AWS Management Console, you must deactivate your key before deleting it.
-
To create, modify, or delete another IAM user's access keys (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the user whose access keys you want to manage, and then choose the Security credentials tab.
-
In the Access keys section, do any of the following:
-
To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you download the CSV file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.
-
To disable an active access key, choose Make inactive.
-
To reenable an inactive access key, choose Make active.
-
To delete your access key, choose Delete. AWS recommends that before you do this, you first deactivate the key and test that it’s no longer in use. When you use the AWS Management Console, you must deactivate your key before deleting it.
-
To list the access keys for an IAM user (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the intended user, and then choose the Security credentials tab. The user's access keys and the status of each key is displayed.
Note Only the user's access key ID is visible. The secret access key can only be retrieved when the key is created.
To list the access key IDs for multiple IAM users (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
If necessary, add the Access key ID column to the users table by completing the following steps:
-
Above the table on the far right, choose the settings icon (
).
-
In Manage columns, select Access key ID.
-
Choose Close to return to the list of users.
-
-
The Access key ID column shows each access key ID, followed by its state; for example, 23478207027842073230762374023 (Active) or 22093740239670237024843420327 (Inactive).
You can use this information to view and copy the access keys for users with one or two access keys. The column displays None for users with no access key.
Note Only the user's access key ID and status is visible. The secret access key can only be retrieved when the key is created.
To find which IAM user owns a specific access key (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
In the search box, type or paste the access key ID of the user you want to find.
-
If necessary, add the Access key ID column to the users table by completing the following steps:
-
Above the table on the far right, choose the settings icon (
).
-
In Manage columns, select Access key ID.
-
Choose Close to return to the list of users and confirm that the filtered user owns the specified access key.
-
Managing access keys (AWS CLI)
To manage an IAM user's access keys from the AWS CLI, run the following commands.
-
To create an access key:
aws iam create-access-key
-
To disable or reenable an access key:
aws iam update-access-key
-
To list a user's access keys:
aws iam list-access-keys
-
To determine when an access key was most recently used:
aws iam get-access-key-last-used
-
To delete an access key:
aws iam delete-access-key
Managing access keys (AWS API)
To manage an IAM user's access keys from the AWS API, call the following operations.
-
To create an access key:
CreateAccessKey
-
To disable or reenable an access key:
UpdateAccessKey
-
To list a user's access keys:
ListAccessKeys
-
To determine when an access key was most recently used:
GetAccessKeyLastUsed
-
To delete an access key:
DeleteAccessKey
Rotating access keys
As a security best practice, we recommend that you regularly rotate (change) IAM user access keys. If your administrator granted you the necessary permissions, you can rotate your own access keys.
Administrators, for details about granting your users permissions to rotate their own access keys, see AWS: Allows IAM users to manage their own password, access keys, and SSH public keys on the My Security Credentials page. You can also apply a password policy to your account to require that all of your IAM users periodically rotate their passwords. You can choose how often they must do so. For more information, see Setting an account password policy for IAM users.
As a best practice, do not use your AWS account root user. If you use the AWS account root user credentials, we recommend that you also regularly rotate them. The account password policy does not apply to the root user credentials. IAM users cannot manage credentials for the AWS account root user, so you must use the root user credentials (not a user's) to change the root user credentials. Note that we recommend against using the root user for everyday work in AWS.
Topics
Rotating IAM user access keys (console)
You can rotate access keys from the AWS Management Console.
To rotate access keys for an IAM user without interrupting your applications (console)
-
While the first access key is still active, create a second access key.
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the intended user, and then choose the Security credentials tab.
-
Choose Create access key and then choose Download .csv file to save the access key ID and secret access key to a
.csv
file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this closes. After you have downloaded the.csv
file, choose Close.The new access key is active by default. At this point, the user has two active access keys.
-
Update all applications and tools to use the new access key.
-
Determine whether the first access key is still in use by reviewing the Last used column for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.
-
Even if the Last used column value indicates that the old key has never been used, we recommend that you do not immediately delete the first access key. Instead, choose Make inactive to deactivate the first access key.
-
Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can choose Make active to reenable the first access key. Then return to Step 3 and update this application to use the new key.
-
After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the intended user, and then choose the Security credentials tab.
-
Locate the access key to delete and choose its X button at the far right of the row. Enter the access key ID to confirm the deletion and then choose Delete.
To determine when access keys need rotating (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
If necessary, add the Access key age column to the users table by completing the following steps:
-
Above the table on the far right, choose the settings icon (
).
-
In Manage columns, select Access key age.
-
Choose Close to return to the list of users.
-
-
The Access key age column shows the number of days since the oldest active access key was created. You can use this information to find users with access keys that need rotating. The column displays None for users with no access key.
Rotating access keys (AWS CLI)
You can rotate access keys from the AWS Command Line Interface.
To rotate access keys without interrupting your applications (AWS CLI)
-
While the first access key is still active, create a second access key, which is active by default. Run the following command:
-
At this point, the user has two active access keys.
-
-
Update all applications and tools to use the new access key.
-
Determine whether the first access key is still in use by using this command:
One approach is to wait several days and then check the old access key for any use before proceeding.
-
Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to
Inactive
using this command: -
Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to
Active
to reenable the first access key. Then return to step Step 2 and update this application to use the new key. -
After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:
For more information, see the following:
-
How to Rotate Access Keys for IAM Users
. This entry on the AWS Security Blog provides more information on key rotation. -
Security best practices in IAM. This page provides general recommendations for helping to secure your AWS resources.
Rotating access keys (AWS API)
You can rotate access keys using the AWS API.
To rotate access keys without interrupting your applications (AWS API)
-
While the first access key is still active, create a second access key, which is active by default. Call the following operation:
-
At this point, the user has two active access keys.
-
-
Update all applications and tools to use the new access key.
-
Determine whether the first access key is still in use by calling this operation:
One approach is to wait several days and then check the old access key for any use before proceeding.
-
Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to
Inactive
calling this operation: -
Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to
Active
to reenable the first access key. Then return to step Step 2 and update this application to use the new key. -
After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key calling this operation:
For more information, see the following:
-
How to Rotate Access Keys for IAM Users
. This entry on the AWS Security Blog provides more information on key rotation. -
Security best practices in IAM. This page provides general recommendations for helping to secure your AWS resources.
Auditing access keys
You can review the AWS access keys in your code to determine whether the keys are from
an account that you own. You can pass an access key ID using the aws sts
get-access-key-info
AWS CLI command or the GetAccessKeyInfo
AWS
API operation.
The AWS CLI and AWS API operations return the ID of the AWS account to which the
access key belongs. Access key IDs beginning with AKIA
are long-term
credentials for an IAM user or an AWS account root user. Access key IDs beginning with
ASIA
are temporary credentials that are created using AWS STS operations. If
the account in the response belongs to you, you can sign in as the root user and review your
root user access keys. Then, you can pull a credentials report to learn which IAM user owns the keys. To learn who
requested the temporary credentials for an ASIA
access key, view the AWS STS
events in your CloudTrail logs.
For security purposes, you can review AWS CloudTrail logs to learn who performed an action in AWS. You can use the
sts:SourceIdentity
condition key in the role trust policy to require users
to specify an identity when they assume a role. For example, you can require that IAM
users specify their own user name as their source identity. This can help you determine
which user performed a specific action in AWS. For more information, see sts:SourceIdentity.
This operation does not indicate the state of the access key. The key might be active, inactive, or deleted. Active keys might not have permissions to perform an operation. Providing a deleted access key might return an error that the key doesn't exist.