Console access Programmatic access Externally authenticated users (identity federation)Temporary access keys

Understanding and getting your AWS credentials

AWS requires different types of security credentials depending on how you access AWS. For example, you need a user name and password to sign in to the AWS Management Console and you need access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.

Considerations

Be sure to save the following in a secure location: the email address associated with your AWS account, the AWS account ID, the root user password, and your account access keys. If you forget or lose your root user password, you must have access to the email address associated with your account in order to reset it. If you forget or lose your access keys, you must sign into your account to create new ones.
We strongly recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the password and access keys for the root user. Use the root user only for the tasks that are restricted to the root user.
Security credentials are account-specific. If you have access to multiple AWS accounts, you have separate credentials for each account.
Do not provide your AWS credentials to a third party.

Credentials

Console access
Programmatic access
Externally authenticated users (identity federation)
Temporary access keys

Console access

There are two different types of users in AWS. You are either the account owner (root user) or you are an AWS Identity and Access Management (IAM) user. How you sign in to the AWS Management Console depends on whether you are the root user or an IAM user.

Contents

Root user email address and password
IAM user name and password
Multi-factor authentication (MFA)

Root user email address and password

When you first create an AWS account, you specify an email address for the account and a password for the root user. To sign in to your AWS account as the root user, you provide this email address and password. The root user can sign in to the AWS Management Console and change the account name, email address, and password using the Security Credentials page. If you forget the password for the root user, open the console sign-in page and choose Forgot your password? to reset your password. This process requires access to the email address for the account.

IAM user name and password

IAM users are created by the root user or an IAM administrator within the AWS account. The user who created your IAM user should provide you with either the account alias or 12-digit AWS account ID, the IAM user name, and the password for the IAM user. An IAM user can sign in using either the console sign-in page or the following sign-in URL, replacing account_id_or_alias with either the account alias or AWS account ID provided to you:


https://account_id_or_alias.signin.aws.amazon.com/console/

If you forget the password for your IAM user, contact your IAM administrator or the account owner. If your IAM administrator gave you permissions to manage your own AWS credentials, then you can change your password periodically, which is a security best practice, using the Security Credentials page.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) provides an extra level of security that you can apply to your AWS account. For additional security, we recommend that you require MFA on the AWS account root user credentials and highly privileged IAM users. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

With MFA enabled, when you sign in to your AWS account, you are prompted for your user name and password, plus an authentication code from an MFA device. Adding MFA provides increased security for your AWS account settings and resources.

By default, MFA (multi-factor authentication) is not enabled. You can enable and manage MFA devices for the AWS account root user by going to the Security Credentials page or the IAM dashboard in the AWS Management Console. For more information about enabling MFA for IAM users, see Enabling MFA Devices in the IAM User Guide.

Programmatic access

You must provide your AWS access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.

When you create your access keys, you create the access key ID (for example, AKIAIOSFODNN7EXAMPLE) and secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) as a set. The secret access key is available for download only when you create it. If you don't download your secret access key or if you lose it, you must create a new one.

You can assign up to two access keys per user (root user or IAM user). Having two access keys is useful when you want to rotate them. When you disable an access key, you can't use it, but it counts toward your limit of two access keys. After you delete an access key, it's gone forever and can't be restored, but it can be replaced with a new access key.

To manage access keys when signed in as the root user

Sign in to the AWS Management Console as the root user. For more information, see Sign in as the root user in the IAM User Guide.
In the navigation bar on the upper right, choose your account name or number and then choose My Security Credentials.
Expand the Access keys (access key ID and secret access key) section.
Do one of the following:
- To create an access key, choose Create New Access Key. If you already have two access keys, this button is disabled and you must delete an access key before you can create a new one. When prompted, choose either Show Access Key or Download Key File. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, chose Close.
- To deactivate an access key, choose Make Inactive. When prompted for confirmation, choose Deactivate. A deactivated access key still counts toward your limit of two access keys.
- To activate an access key, choose Make Active.
- To delete an access key when you no longer need it, copy the access key ID and then choose Delete. Before you can delete the access key, you must choose Deactivate. We recommend that you verify that the access key is no longer in use before you permanently delete it. To confirm deletion, paste the access key ID in the text input field and then choose Delete.

To manage access keys when signed in as an IAM user

Sign in to the AWS Management Console as an IAM user. For more information, see Sign in as an IAM user in the IAM User Guide.
In the navigation bar on the upper right, choose your user name and then choose My Security Credentials.

Tip
If you do not see the My Security Credentials page, you might be signed in as a federated user, not an IAM user. You can create and use temporary access keys instead.
Do one of the following:
- To create an access key, choose Create access key. If you already have two access keys, this button is disabled and you must delete an access key before you can create a new one. When prompted, choose either Show secret access key or Download .csv file. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, chose Close.
- To deactivate an access key, choose Make inactive. When prompted for confirmation, choose Deactivate. A deactivated access key still counts toward your limit of two access keys.
- To activate an access key, choose Make active. When prompted for confirmation, choose Make active.
- To delete an access key when you no longer need it, copy the access key ID and then choose Delete. This deactivates the access key. We recommend that you verify that the access key is no longer in use before you permanently delete it. To confirm deletion, paste the access key ID in the text input field and then choose Delete.

Externally authenticated users (identity federation)

Your users might already have identities outside of AWS, such as in your corporate directory. If those users need to work with AWS resources (or work with applications that access those resources), then those users also need AWS security credentials. You can use an IAM role to specify permissions for users whose identity is federated from your organization or a third-party identity provider (IdP). For more information, see Providing access to externally authenticated users (identity federation) in the IAM User Guide.

Temporary access keys

You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they are short term. After they expire, they're no longer valid. You can use temporary access keys in less secure environments or distribute them to grant users temporary access to resources in your AWS account. For example, you can grant entities from other AWS accounts access to resources in your AWS account (cross-account access). You can also grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see aws sts assume-role.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS users

AWS account identifiers