Understanding and getting your AWS credentials
AWS requires different types of security credentials depending on how you access AWS. For example, you need a user name and password to sign in to the AWS Management Console and you need access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.
Considerations
-
Be sure to save the following in a secure location: the email address associated with your AWS account, the AWS account ID, your password, and your secret access keys. If you forget or lose these credentials, you can't recover them. For security reasons, AWS doesn't provide the means for you or anyone else to retrieve your credentials.
-
We strongly recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the password and access keys for the root user. Use the root user only for the tasks that are restricted to the root user.
-
Security credentials are account-specific. If you have access to multiple AWS accounts, you have separate credentials for each account.
-
Do not provide your AWS credentials to a third party.
Credentials
Console access
There are two different types of users in AWS. You are either the account owner (root user) or you are an AWS Identity and Access Management (IAM) user. How you sign in to the AWS Management Console depends on whether you are the root user or an IAM user.
Contents
Root user email address and password
When you first create an AWS account, you specify an email address for the account
and
a password for the root user. To sign in to your AWS account as the root user, you
provide this
email address and password. The root user can sign in to the AWS Management Console
and change the account
name, email address, and password using the Security Credentials
IAM user name and password
IAM users are created by the root user or an IAM administrator within the AWS account.
The user who created your IAM user should provide you with either the account alias
or
12-digit AWS account ID, the IAM user name, and the password for the IAM user. An
IAM user can sign in using either the console sign-in page or the following sign-in
URL,
replacing account_id_or_alias
with either the account alias
or AWS account ID provided to you:
https://
account_id_or_alias
.signin.aws.amazon.com/console/
If you forget the password for your IAM user, contact your IAM administrator or
the account owner. If your IAM administrator gave you permissions to manage your own
AWS credentials, then you can change your password periodically, which is a security
best practice, using the Security Credentials
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) provides an extra level of security that you can apply to your AWS account. For additional security, we recommend that you require MFA on the AWS account root user credentials and highly privileged IAM users. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.
With MFA enabled, when you sign in to your AWS account, you are prompted for your user name and password, plus an authentication code from an MFA device. Adding MFA provides increased security for your AWS account settings and resources.
By default, MFA (multi-factor authentication) is not enabled. You can enable and manage
MFA devices for the AWS account root user by going to the Security Credentials
Programmatic access
You must provide your AWS access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.
When you create your access keys, you create the access key ID (for example,
AKIAIOSFODNN7EXAMPLE
) and secret access key (for example,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
) as a set. The secret access key is available for
download only when you create it. If you don't download your secret access key or
if you lose it, you must create a new one.
You can assign up to two access keys per user (root user or IAM user). Having two access keys is useful when you want to rotate them. When you disable an access key, you can't use it, but it counts toward your limit of two access keys. After you delete an access key, it's gone forever and can't be restored, but it can be replaced with a new access key.
To create an access key when signed in as the root user
-
Sign in to the AWS Management Console as the root user. For more information, see Sign in as the root user in the IAM User Guide.
-
In the navigation bar on the upper right, choose your account name or number and then choose My Security Credentials.
-
Expand the Access keys (access key ID and secret access key) section.
-
Choose Create New Access Key. If you already have two access keys, this button is disabled.
-
When prompted, choose Show Access Key or Download Key File. This is your only opportunity to save your secret access key.
-
After you've saved your secret access key in a secure location, chose Close.
To create an access key when signed in as an IAM user
-
Sign in to the AWS Management Console as an IAM user. For more information, see Sign in as an IAM user in the IAM User Guide.
-
In the navigation bar on the upper right, choose your user name and then choose My Security Credentials.
Tip If you do not see the My Security Credentials page, you might be signed in as a federated user, not an IAM user. You can create and use temporary access keys instead.
-
Choose AWS IAM credentials, Create access key. If you already have two access keys, the console displays a "Limited exceeded" error.
-
When prompted, choose Download .csv file or Show secret access key. This is your only opportunity to save your secret access key.
-
After you've saved your secret access key in a secure location, chose Close.
Temporary access keys
You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they are short term. After they expire, they're no longer valid. You can use temporary access keys in less secure environments or distribute them to grant users temporary access to resources in your AWS account. For example, you can grant entities from other AWS accounts access to resources in your AWS account (cross-account access). You can also grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see aws sts assume-role.