Menu
Amazon Web Services
General Reference (Version 1.0)

Managing Access Keys for Your AWS Account

You can create, rotate, disable, or delete access keys (access key IDs and secret access keys) for your AWS account root user. Anyone who has an access key for your AWS account has unrestricted access to all the resources in your account, including billing information.

We recommend that you don't create access keys for your AWS account and delete any that exist. Instead, create a user in AWS Identity and Access Management (IAM) and choose Programmatic access to create an access key for the user. For more information, see Lock away your AWS account root user access keys in the IAM User Guide.

When you create an access key, AWS gives you an opportunity to view and download the secret access key only once. If you don't download it or if you lose it, you can delete the access key and then create a new one.

A newly created access key has the status of active, which means that you can use the access key for API calls. You can have up to two access keys for your AWS account, which is useful when you want to rotate the access keys. When you disable an access key, you can't use it for API calls.

You can create or delete an access key any time. However, when you delete an access key, it's gone forever and can't be retrieved.

Creating, Disabling, and Deleting Access Keys for Your AWS Account

Follow these steps to manage access keys for your AWS account. For information about managing access keys for IAM users, see Managing Access Keys for IAM Users in the IAM User Guide.

To create, disable, or delete an access key for your AWS account root user

  1. Use your AWS account email address and password to sign in to the AWS Management Console as the root user.

    Note

    If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your root user credentials. If you see the IAM user sign-in page, choose Sign-in using root account credentials near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account email address and password.

  2. In the top right of the console, choose your account name or number. Then choose My Security Credentials.

  3. Choose Continue to Security Credentials.

  4. Expand the Access Keys (Access Key ID and Secret Access Key) section.

  5. Choose your preferred action:

    To create an access key

    Choose Create New Access Key. Then choose Download Key File to save the access key ID and secret access key to a file on your computer. After you close the dialog box, you can't retrieve this secret access key again.

    To disable an existing access key

    Choose Make Inactive next to the access key that you are disabling. To reenable an inactive access key, choose Make Active.

    To delete an existing access key

    Before you delete an access key, make sure it's no longer in use. For more information, see Finding unused access keys in the IAM User Guide. You can't recover an access key after deleting it. Then, choose Delete next to the access key that you are deleting.