Understanding and getting your AWS credentials - AWS General Reference

Understanding and getting your AWS credentials

AWS requires different types of security credentials depending on how you access AWS. For example, you need a user name and password to sign in to the AWS Management Console and you need access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.

Considerations

  • Be sure to save the following in a secure location: the email address associated with your AWS account, the AWS account ID, your password, and your secret access keys. If you forget or lose these credentials, you can't recover them. For security reasons, AWS doesn't provide the means for you or anyone else to retrieve your credentials.

  • We strongly recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the password and access keys for the root user. Use the root user only for the tasks that are restricted to the root user.

  • Security credentials are account-specific. If you have access to multiple AWS accounts, you have separate credentials for each account.

  • Do not provide your AWS credentials to a third party.

Console access

There are two different types of users in AWS. You are either the account owner (root user) or you are an AWS Identity and Access Management (IAM) user. How you sign in to the AWS Management Console depends on whether you are the root user or an IAM user.

Root user email address and password

When you first create an AWS account, you specify an email address for the account and a password for the root user. To sign in to your AWS account as the root user, you provide this email address and password. The root user can sign in to the AWS Management Console and change the account name, email address, and password using the Security Credentials page. If you forget the password for the root user, open the console sign-in page and choose Forgot password? to reset your password.

IAM user name and password

IAM users are created by the root user or an IAM administrator within the AWS account. The user who created your IAM user should provide you with either the account alias or 12-digit AWS account ID, the IAM user name, and the password for the IAM user. An IAM user can sign in using either the console sign-in page or the following sign-in URL, replacing account_id_or_alias with either the account alias or AWS account ID provided to you:

https://account_id_or_alias.signin.aws.amazon.com/console/

If you forget the password for your IAM user, contact your IAM administrator or the account owner. If your IAM administrator gave you permissions to manage your own AWS credentials, then you can change your password periodically, which is a security best practice, using the Security Credentials page.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) provides an extra level of security that you can apply to your AWS account. For additional security, we recommend that you require MFA on the AWS account root user credentials and highly privileged IAM users. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

With MFA enabled, when you sign in to your AWS account, you are prompted for your user name and password, plus an authentication code from an MFA device. Adding MFA provides increased security for your AWS account settings and resources.

By default, MFA (multi-factor authentication) is not enabled. You can enable and manage MFA devices for the AWS account root user by going to the Security Credentials page or the IAM dashboard in the AWS Management Console. For more information about enabling MFA for IAM users, see Enabling MFA Devices in the IAM User Guide.

Programmatic access

You must provide your AWS access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.

When you create your access keys, you create the access key ID (for example, AKIAIOSFODNN7EXAMPLE) and secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) as a set. The secret access key is available for download only when you create it. If you don't download your secret access key or if you lose it, you must create a new one.

You can assign up to two access keys per user (root user or IAM user). Having two access keys is useful when you want to rotate them. When you disable an access key, you can't use it, but it counts toward your limit of two access keys. After you delete an access key, it's gone forever and can't be restored, but it can be replaced with a new access key.

To create an access key when signed in as the root user

  1. Sign in to the AWS Management Console as the root user. For more information, see Sign in as the root user in the IAM User Guide.

  2. In the navigation bar on the upper right, choose your account name or number and then choose My Security Credentials.

  3. Expand the Access keys (access key ID and secret access key) section.

  4. Choose Create New Access Key. If you already have two access keys, this button is disabled.

  5. When prompted, choose Show Access Key or Download Key File. This is your only opportunity to save your secret access key.

  6. After you've saved your secret access key in a secure location, chose Close.

To create an access key when signed in as an IAM user

  1. Sign in to the AWS Management Console as an IAM user. For more information, see Sign in as an IAM user in the IAM User Guide.

  2. In the navigation bar on the upper right, choose your user name and then choose My Security Credentials.

    Tip

    If you do not see the My Security Credentials page, you might be signed in as a federated user, not an IAM user. You can create and use temporary access keys instead.

  3. Choose AWS IAM credentials, Create access key. If you already have two access keys, the console displays a "Limited exceeded" error.

  4. When prompted, choose Download .csv file or Show secret access key. This is your only opportunity to save your secret access key.

  5. After you've saved your secret access key in a secure location, chose Close.

Temporary access keys

You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they are short term. After they expire, they're no longer valid. You can use temporary access keys in less secure environments or distribute them to grant users temporary access to resources in your AWS account. For example, you can grant entities from other AWS accounts access to resources in your AWS account (cross-account access). You can also grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see aws sts assume-role.