Amazon Web Services
General Reference (Version 1.0)

Understanding and Getting Your Security Credentials

You use different types of security credentials depending on how you interact with AWS. For example, you use a user name and password to sign in to the AWS Management Console. You use access keys to make programmatic calls to AWS API operations or to use AWS CLI commands.

If you forget or lose your credentials, you can't recover them. For security reasons, AWS doesn't allow you to retrieve your passwords or secret access keys and does not store the private keys that are part of a key pair. However, you can create new credentials and then disable or delete the old credentials.

Note

Security credentials are account-specific. If you have access to multiple AWS accounts, use the credentials that are associated with the account that you want to access.

Getting AWS account root user credentials is different than getting IAM user credentials. For root user credentials, you get credentials, such as access keys or key pairs, from the Security Credentials page in the AWS Management Console. For IAM user credentials, you get credentials from the IAM console.

The following list describes the types of AWS security credentials, when you might use them, and how to get each type of credential for the AWS account root user or for an IAM user.

Email and Password (Root User)

When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.

Important

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User.

Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.

Note

If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM user sign-in page, choose Sign-in using root user credentials near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account email address and password.

You can change the email address and password on the Security Credentials page. You can also choose Forgot password? on the AWS sign-in page to reset your password.

IAM User Name and Password

Use AWS Identity and Access Management (IAM) to create unique user identities in AWS. IAM users provide their user names and passwords when they sign in to the AWS Management Console, AWS discussion forums, or AWS Support center. In some cases, an IAM user name and password are required to use a service, such as sending email with SMTP by using Amazon Simple Email Service (Amazon SES).

For more information about IAM users, see Identities (Users, Groups, and Roles) in the IAM User Guide.

You specify user names when you create them. Optionally, you can create passwords for each user. For more information, see Managing Passwords for IAM Users in the IAM User Guide.

Note

IAM users can manage their own password but only if they have been given permission. For more information, see Permitting IAM Users to Change Their Own Password in the IAM User Guide.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) provides an extra level of security that you can apply to your AWS account. For additional security, we recommend that you require MFA on the AWS account root user credentials and highly privileged IAM users. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

With MFA enabled, when you sign in to the AWS website, you are prompted for your user name and password, and an authentication code from an MFA device. Together, they provide increased security for your AWS account settings and resources.

By default, MFA (multi-factor authentication) is not enabled. You can enable and manage MFA devices for the AWS account root user by going to the Security Credentials page or the IAM dashboard in the AWS Management Console. For more information about enabling MFA for IAM users, see Enabling MFA Devices in the IAM User Guide.

Access Keys (Access Key ID and Secret Access Key)

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to sign programmatic requests that you make to AWS if you use AWS CLI commands (using the SDKs) or using AWS API operations. For more information, see Signing AWS API Requests. Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

When you create access keys, you create the access key ID and secret access key as a set. During access key creation, AWS gives you one opportunity to view and download the secret access key part of the access key. If you don't download it or if you lose it, you can delete the access key and then create a new one. You can create IAM user access keys with the IAM console, AWS CLI, or AWS API. For more information, see Managing Access Keys for IAM Users in the IAM User Guide. To create access keys for your AWS account root user, you must use the AWS Management Console. For more information, see Managing Access Keys for Your AWS Account Root User in the IAM User Guide. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User.

Important

Do not provide your access keys to a third party, even to help find your canonical user ID. By doing this, you might give someone full access to your account.

A newly created access key has the status of active, which means that you can use the access key for CLI and API calls. You are limited to two access keys for each IAM user, which is useful when you want to rotate the access keys. You can also assign up to two access keys to the root user. When you disable an access key, you can't use it for API calls, and inactive keys do count toward your limit. You can create or delete an access key any time. However, when you delete an access key, it's gone forever and can't be retrieved.

You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they are short term. After they expire, they're no longer valid. You can use temporary access keys in less secure environments or distribute them to grant users temporary access to resources in your AWS account. For example, you can grant entities from other AWS accounts access to resources in your AWS account (cross-account access). You can also grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see Temporary Security Credentials in the IAM User Guide. For information on the unique IDs that IAM creates, including their prefixes (like the AKIA used in AKIAIOSFODNN7EXAMPLE, above), see IAM Identifiers in the IAM User Guide.

Key Pairs

Key pairs are unrelated to access keys, and consist of a public key and a private key. You use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.

For Amazon EC2, you use key pairs to access Amazon EC2 instances, such as when you use SSH to log in to a Linux instance. For more information, see Connect to Your Linux Instances in the Amazon EC2 User Guide for Linux Instances.

For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when you want to distribute restricted content that someone paid for. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.

AWS does not provide key pairs for your account; you must create them. You can create Amazon EC2 key pairs from the Amazon EC2 console, CLI, or API. For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

You create Amazon CloudFront key pairs from the Security Credentials page. Only the AWS account root user (not IAM users) can create CloudFront key pairs. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.