AWS access keys
Use short-term credentials
We recommend configuring your SDK or tool to use IAM Identity Center authentication for your SDK or tool to use extended session duration options.
However, to set up the SDK or tool's temporary credentials directly, see Authenticate using short-term credentials.
Use long-term credentials
Warning
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as AWS IAM Identity Center.
Manage access across AWS accounts
As a security best practice, we recommend using AWS Organizations with IAM Identity Center to manage access across all your AWS accounts. For more information, see Security best practices in IAM in the IAM User Guide.
You can create users in IAM Identity Center, use Microsoft Active Directory, use a SAML 2.0 identity provider (IdP), or individually federate your IdP to AWS accounts. Using one of these approaches, you can provide a single sign-on experience for your users. You can also enforce multi-factor authentication (MFA) and use temporary credentials for AWS account access. This differs from an IAM user, which is a long-term credential that can be shared and which might increase the security risk to your AWS resources.
Create IAM users for sandbox environments only
If you're new to AWS, you might create a test IAM user and then use it to run tutorials and explore what AWS has to offer. It's okay to use this type of credential when you're learning, but we recommend that you avoid using it outside of a sandbox environment.
For the following use cases, it might make sense to get started with IAM users in AWS:
-
Getting started with your AWS SDK or tool and exploring AWS services in a sandbox environment.
-
Running scheduled scripts, jobs, and other automated processes that don't support a human-attended sign-in process as part of your learning.
If you're using IAM users outside of these use cases, then transition to IAM Identity Center or federate
your identity provider to AWS accounts as soon as possible. For more information, see
Identity federation in AWS
Secure IAM user access keys
You should rotate IAM user access keys regularly. Follow the guidance in Rotating access keys in the IAM User Guide. If you believe that you have accidentally shared your IAM user access keys, then rotate your access keys.
IAM user access keys should be stored in the shared AWS credentials
file on the local machine.
Don't store the IAM user access keys in your code. Don't include configuration files
that contain your IAM user access keys inside of any source code management software.
External tools, such as the open source project
git-secrets
To set up an IAM user to get started, see Authenticate using long-term credentials.