Don't create access keys for the root user Use temporary security credentials (IAM roles)Manage IAM user access keys properly Access the mobile app using AWS access keys Learn more

Best practices for managing AWS access keys

When you use AWS programmatically, you provide your AWS access keys so that AWS can verify your identity in programmatic calls. Each of your access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

Anyone who has your access keys has the same level of access to your AWS resources that you do. For this reason, AWS protects your access keys according to our shared-responsibility model. You should also protect your access keys.

The steps that follow can help you protect your access keys. For background information, see AWS security credentials.

Note

Your organization might have different security requirements and policies than those described in this topic. The suggestions here provide general guidelines.

Don't create access keys for the root user

When you make requests with the AWS Command Line Tools, AWS SDKs, or direct API calls, you sign the requests with your access keys. Anyone who has the access keys for your AWS account root user has unrestricted access to all the resources in your account. This includes access to billing information. You can't restrict the permissions for your AWS account root user.

One of the best ways to protect your account is not to create access keys for your AWS account root user.

If you already have access keys for your account, we recommend the following:

Find places in your applications (if any) where you currently use access keys.
Replace the root user access keys with IAM user access keys.
Deactivate and delete the root user access keys.

For more information about how to substitute one access key for another, see How to Rotate Access Keys for IAM Users on the AWS Security Blog.

By default, AWS doesn't generate access keys for new accounts.

For information about how to create an IAM user with administrative permissions, see Creating Your First IAM Admin User and Group in the IAM User Guide.

Use temporary security credentials (IAM roles)

In many scenarios, you don't need long-term access keys that never expire (as you have with an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials consist of an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire.

Long-term access keys, such as those associated with IAM users and AWS account root users, remain valid until you manually revoke them. However, temporary security credentials that you obtain through IAM roles and other features of the AWS Security Token Service are valid for only a short time. You can configure them to last for anywhere from a few minutes to several hours. Use temporary security credentials to help reduce your risk in case credentials are exposed.

Use an IAM role and temporary security credentials in the following situations:

You have an application or AWS CLI scripts that runs on an Amazon EC2 instance. Don't use access keys directly in your application. Don't pass access keys to the application, embed them in the application, or let the application read access keys from any source. Instead, define an IAM role that has appropriate permissions for your application and launch the Amazon Elastic Compute Cloud (Amazon EC2) instance with roles for EC2. This practice associates an IAM role with the Amazon EC2 instance. When you do this, the application can also get temporary security credentials that it can in turn use to make programmatic calls to AWS. The AWS SDKs and the AWS Command Line Interface (AWS CLI) can get temporary credentials from the role automatically.
You need to grant cross-account access. Use an IAM role to establish trust between accounts, and then grant users in one account limited permissions to access the trusted account. For more information, see Tutorial: Delegate access across AWS accounts using IAM roles in the IAM User Guide.
You have a mobile app. Don't embed access keys with the app, even in encrypted storage. Instead, use Amazon Cognito to manage user identities in your app. This service lets you authenticate users using Login with Amazon, Facebook, Google, or any identity provider (IdP) compatible with OpenID Connect (OIDC). You can then use the Amazon Cognito credentials provider to manage credentials that your app uses to make requests to AWS. For more information, see Using the Amazon Cognito Credentials Provider on the AWS Mobile Blog.
You want to federate into AWS and your organization supports SAML 2.0. If you work for an organization that has an identity provider that supports SAML 2.0, configure the provider to use SAML. You can use SAML to exchange authentication information with AWS and get back a set of temporary security credentials. For more information, see About SAML 2.0-based Federation in the IAM User Guide.
You want to federate into AWS and your organization has an on-premises identity store. If users can authenticate inside your organization, you can write an application that can issue them temporary security credentials for access to AWS resources. For more information, see Enabling custom identity broker access to the AWS Management Console in the IAM User Guide.

Manage IAM user access keys properly

If you must create access keys for programmatic access to AWS, create them for IAM users, and grant the users only the permissions that they require. For more information, see Managing access keys for IAM users in the IAM User Guide.

Note

If you use an Amazon EC2 instance with an application that requires programmatic access to AWS resources, use IAM roles for EC2.

When you use access keys, observe these precautions:

Don't embed access keys directly into code. When you use AWS SDKs and the AWS Command Line Tools, you can insert access keys in known locations so that you don't have to keep them in code.

Put access keys in one of the following locations:
- The AWS credentials file. The AWS SDKs and AWS CLI automatically use the credentials that you store in the AWS credentials file.
  
  For information about using the AWS credentials file, see the documentation for your SDK. Examples include Set AWS Credentials and Region in the AWS SDK for Java Developer Guide and Configuration and credential files in the AWS Command Line Interface User Guide.
  
  To store credentials for the AWS SDK for .NET and the AWS Tools for Windows PowerShell, we recommend that you use the SDK Store. For more information, see Using the SDK Store in the AWS SDK for .NET Developer Guide.
- Environment variables. On a multitenant system, choose user environment variables, not system environment variables.
  
  For more information about using environment variables to store credentials, see Environment Variables in the AWS Command Line Interface User Guide.
Use different access keys for different applications. When you vary access keys across applications, you can isolate the permissions and revoke the access keys for individual applications if they are exposed. When you use separate access keys for different applications it generates distinct entries in AWS CloudTrail log files. This configuration helps you to determine which application performed specific actions.
Rotate access keys periodically. Regularly rotating long-term credentials helps you familiarize yourself with the process. This is useful in case you are ever in a situation where you must rotate credentials, such as when an employee leaves your company. For details, see Rotating access keys (AWS CLI, Tools for Windows PowerShell, and AWS API) in the IAM User Guide and How to Rotate Access Keys for IAM Users on the AWS Security Blog.
Remove unused access keys. If a user leaves your organization, remove the corresponding IAM user so that the user can no longer access your resources. To find out when an access key was last used, use the GetAccessKeyLastUsed API (AWS CLI command: aws iam get-access-key-last-used).
Configure multi-factor authentication (MFA). To improve account security, require MFA on the AWS account root user credentials and all IAM users. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

Access the mobile app using AWS access keys

You can access a limited set of AWS services and features using the AWS mobile app. The mobile app helps you support incident response while on the go. For more information and to download the app, see AWS Console Mobile Application.

You can sign in to the mobile app using your console password or your access keys. As a best practice, don't use root user access keys. Instead, we strongly recommend that you use a password or biometric lock on your mobile device, and also create an IAM user to manage AWS resources. If you lose your mobile device, you can remove the IAM user's access. For more information about generating access keys for an IAM user, see Managing access keys for IAM users in the IAM User Guide.

To sign in using access keys (mobile app)

Open the app on your mobile device.
If this is the first time that you're adding an identity to the device, choose Add an identity and then choose Access keys.

If you have already signed in using another identity, choose the menu icon and choose Switch identity. Then choose Sign in as a different identity and then Access keys.
On the Access keys page, enter your information:
- Access key ID – Enter your access key ID.
- Secret access key – Enter your secret access key.
- Identity name – Enter the name of the identity that will appear in the mobile app. This does not need to match your IAM user name.
- Identity PIN – Create a personal identification number (PIN) that you will use for future sign-ins.
  
  Note
  If you enable biometrics for the AWS mobile app, you will be prompted to use your fingerprint or facial recognition for verification instead of the PIN. If the biometrics fail, you might be prompted for the PIN instead.
Choose Verify and add keys.

You can now access a select set of your resources using the mobile app.

Learn more

For more information about best practices for AWS account security, see the following resources:

IAM Best Practices contains suggestions that help you secure your AWS resources with the AWS Identity and Access Management (IAM) service.
The following topics provide guidance when you set up the AWS SDKs and the AWS CLI to use access keys:
- Set AWS credentials and Region in the AWS SDK for Java Developer Guide
- Using the SDK Store in the AWS SDK for .NET Developer Guide
- Providing Credentials to the SDK in the AWS SDK for PHP Developer Guide
- Configuration in the Boto 3 (AWS SDK for Python) documentation
- Using AWS Credentials in the AWS Tools for Windows PowerShell User Guide
- Configuration and credential files in the AWS Command Line Interface User Guide
The following resources discuss how programs that you write with the SDK for Java 2.x or AWS SDK for .NET can automatically get temporary security credentials when they run on an Amazon EC2 instance:
- Granting access using an IAM role in the AWS SDK for .NET Developer Guide
- Configuring IAM roles for Amazon EC2in the AWS SDK for Java Developer Guide

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS account identifiers

AWS security audit guidelines