Managing access keys for IAM users - Amazon Identity and Access Management
Permissions required to manage access keysManaging access keys (console)Managing access keys (Amazon CLI)Managing access keys (Amazon API)Updating access keysSecuring access keysAuditing access keys
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing access keys for IAM users

Important

As a best practice, use temporary security credentials (such as IAM roles) instead of creating long-term credentials like access keys. Before creating access keys, review the alternatives to long-term access keys.

Access keys are long-term credentials for an IAM user or the Amazon Web Services account root user. You can use access keys to sign programmatic requests to the Amazon CLI or Amazon API (directly or using the Amazon SDK). For more information, see Signing Amazon API requests.

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You must use both the access key ID and secret access key together to authenticate your requests.

When you create an access key pair, save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must delete the access key and create a new one. For more details, see Resetting lost or forgotten passwords or access keys for Amazon.

You can have a maximum of two access keys per user.

Important

Manage your access keys securely. Do not provide your access keys to unauthorized parties, even to help find your account identifiers. By doing this, you might give someone permanent access to your account.

The following topics detail management tasks associated with access keys.

Permissions required to manage access keys

Note

iam:TagUser is an optional permission for adding and editing descriptions for the access key. For more information, see Tagging IAM users

To create access keys for your own IAM user, you must have the permissions from the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:TagUser"
            ],
            "Resource": "arn:aws-cn:iam::*:user/${aws:username}"
        }
    ]
}

To update access keys for your own IAM user, you must have the permissions from the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey",
                "iam:TagUser"
            ],
            "Resource": "arn:aws-cn:iam::*:user/${aws:username}"
        }
    ]
}

Managing access keys (console)

You can use the Amazon Web Services Management Console to manage the access keys of an IAM user.

To create, modify, or delete your own access keys (console)

  1. Use your Amazon account ID or account alias, your IAM user name, and your password to sign in to the IAM console.

    Note

    For your convenience, the Amazon sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your Amazon account ID or account alias to be redirected to the IAM user sign-in page for your account.

    To get your Amazon Web Services account ID, contact your administrator.

  2. In the navigation bar on the upper right, choose your user name, and then choose Security credentials.

    Amazon Management Console Security credentials link

Do one of the following:

To create an access key

  1. In the Access keys section, choose Create access key. If you already have two access keys, this button is deactivated and you must delete an access key before you can create a new one.

  2. On the Access key best practices & alternatives page, choose your use case to learn about additional options which can help you avoid creating a long-term access key. If you determine that your use case still requires an access key, choose Other and then choose Next.

  3. (Optional) Set a description tag value for the access key. This adds a tag key-value pair to your IAM user. This can help you identify and update access keys later. The tag key is set to the access key id. The tag value is set to the access key description that you specify. When you are finished, choose Create access key.

  4. On the Retrieve access keys page, choose either Show to reveal the value of your user's secret access key, or Download .csv file. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, choose Done.

To deactivate an access key

  • In the Access keys section find the key you want to deactivate, then choose Actions, then choose Deactivate. When prompted for confirmation, choose Deactivate. A deactivated access key still counts toward your limit of two access keys.

To activate an access key

  • In the Access keys section, find the key to activate, then choose Actions, then choose Activate.

To delete an access key when you no longer need it

  • In the Access keys section, find the key you want to delete, then choose Actions, then choose Delete. Follow the instructions in the dialog to first Deactivate and then confirm the deletion. We recommend that you verify that the access key is no longer in use before you permanently delete it.

To create, modify, or delete the access keys of another IAM user (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose access keys you want to manage, and then choose the Security credentials tab.

  4. In the Access keys section, do any of the following:

    • To create an access key, choose Create access key. If the button is deactivated, then you must delete one of the existing keys before you can create a new one. On the Access key best practices & alternatives page, review the best practices and alternatives. Choose your use case to learn about additional options which can help you avoid creating a long-term access key. If you determine that your use case still requires an access key, choose Other and then choose Next. On the Retrieve access key page, choose Show to reveal the value of your user's secret access key. To save the access key ID and secret access key to a .csv file to a secure location on your computer, choose the Download .csv file button. When you create an access key for your user, that key pair is active by default, and your user can use the pair right away.

    • To deactivate an active access key, choose Actions, and then choose Deactivate.

    • To activate an inactive access key, choose Actions, and then choose Activate.

    • To delete your access key, choose Actions, and then choose Delete. Follow the instructions in the dialog to first Deactivate and then confirm the deletion. Amazon recommends that before you do this, you first deactivate the key and test that it’s no longer in use. When you use the Amazon Web Services Management Console, you must deactivate your key before deleting it.

To list the access keys for an IAM user (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the intended user, and then choose the Security credentials tab. In the Access keys section, you will see the user's access keys and the status of each key displayed.

    Note

    Only the user's access key ID is visible. The secret access key can only be retrieved when the key is created.

To list the access key IDs for multiple IAM users (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. If necessary, add the Access key ID column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( Settings icon ).

    2. In Manage columns, select Access key ID.

    3. Choose Close to return to the list of users.

  4. The Access key ID column shows each access key ID, followed by its state; for example, 23478207027842073230762374023 (Active) or 22093740239670237024843420327 (Inactive).

    You can use this information to view and copy the access keys for users with one or two access keys. The column displays None for users with no access key.

    Note

    Only the user's access key ID and status is visible. The secret access key can only be retrieved when the key is created.

To find which IAM user owns a specific access key (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. In the search box, type or paste the access key ID of the user you want to find.

  4. If necessary, add the Access key ID column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( Settings icon ).

    2. In Manage columns, select Access key ID.

    3. Choose Close to return to the list of users and confirm that the filtered user owns the specified access key.

Managing access keys (Amazon CLI)

To manage the IAM user access keys from the Amazon CLI, run the following commands.

Managing access keys (Amazon API)

To manage the access keys of an IAM user from the Amazon API, call the following operations.

Updating access keys

As a security best practice, we recommend that you update IAM user access keys when needed, such as when an employee leaves your company. IAM users can update their own access keys if they have been granted the necessary permissions.

For details about granting IAM users permissions to update their own access keys, see Amazon: Allows IAM users to manage their own password, access keys, and SSH public keys on the Security credentials page. You can also apply a password policy to your account to require that all of your IAM users periodically update their passwords and how often they must do so. For more information, see Setting an account password policy for IAM users.

Updating IAM user access keys (console)

You can update access keys from the Amazon Web Services Management Console.

To update access keys for an IAM user without interrupting your applications (console)

  1. While the first access key is still active, create a second access key.

    1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

    2. In the navigation pane, choose Users.

    3. Choose the name of the intended user, and then choose the Security credentials tab.

    4. In the Access keys section, choose Create access key. On the Access key best practices & alternatives page, choose Other, then choose Next.

    5. (Optional) Set a description tag value for the access key to add a tag key-value pair to this IAM user. This can help you identify and update access keys later. The tag key is set to the access key id. The tag value is set to the access key description that you specify. When you are finished, choose Create access key.

    6. On the Retrieve access keys page, choose either Show to reveal the value of your user's secret access key, or Download .csv file. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, choose Done.

      When you create an access key for your user, that key pair is active by default, and your user can use the pair right away. At this point, the user has two active access keys.

  2. Update all applications and tools to use the new access key.

  3. Determine whether the first access key is still in use by reviewing the Last used information for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if the Last used information indicates that the old key has never been used, we recommend that you do not immediately delete the first access key. Instead, choose Actions and then choose Deactivate to deactivate the first access key.

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to Amazon resources. If you find such an application or tool, you can reactivate the first access key. Then return to Step 3 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:

    1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

    2. In the navigation pane, choose Users.

    3. Choose the name of the intended user, and then choose the Security credentials tab.

    4. In the Access keys section for the access key you want to delete, choose Actions, and then choose Delete. Follow the instructions in the dialog to first Deactivate and then confirm the deletion.

To determine which access keys need to be updated or deleted(console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. If necessary, add the Access key age column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( Settings icon ).

    2. In Manage columns, select Access key age.

    3. Choose Close to return to the list of users.

  4. The Access key age column shows the number of days since the oldest active access key was created. You can use this information to find users with access keys that might need to be updated or deleted. The column displays None for users with no access key.

Updating access keys (Amazon CLI)

You can update access keys from the Amazon Command Line Interface.

To update access keys without interrupting your applications (Amazon CLI)

  1. While the first access key is still active, create a second access key, which is active by default. Run the following command:

  2. Update all applications and tools to use the new access key.

  3. Determine whether the first access key is still in use by using this command:

    One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to Amazon resources. If you find such an application or tool, you can switch its state back to Active to reactivate the first access key. Then return to step Step 2 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:

Updating access keys (Amazon API)

You can update access keys using the Amazon API.

To update access keys without interrupting your applications (Amazon API)

  1. While the first access key is still active, create a second access key, which is active by default. Call the following operation:

  2. Update all applications and tools to use the new access key.

  3. Determine whether the first access key is still in use by calling this operation:

    One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive calling this operation:

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to Amazon resources. If you find such an application or tool, you can switch its state back to Active to reactivate the first access key. Then return to step Step 2 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key calling this operation:

Securing access keys

Anyone who has your access keys has the same level of access to your Amazon resources that you do. Consequently, Amazon goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well.

Expand the following sections for guidance to help you protect your access keys.

Note

Your organization may have different security requirements and policies than those described in this topic. The suggestions provided here are intended as general guidelines.

One of the best ways to protect your account is to not have access keys for your Amazon Web Services account root user. Unless you must have root user access keys (which is rare), it is best not to generate them. Instead, create an administrative user in Amazon IAM Identity Center for daily administrative tasks.For information about how to create an administrative user in IAM Identity Center, see in the IAM Identity Center User Guide.

If you already have root user access keys for your account, we recommend the following: Find places in your applications where you are currently using access keys (if any), and replace the root user access keys with IAM user access keys. Then disable and remove the root user access keys. For more information about how to update access keys, see Updating access keys

In many scenarios, you don't need long-term access keys that never expire (as you have with an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials consist of an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire.

Long-term access keys, such as those associated with IAM users and the root user, remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the Amazon Security Token Service expire after a short period of time. Use temporary security credentials to help reduce your risk in case credentials are accidentally exposed.

Use an IAM role and temporary security credentials in these scenarios:

  • You have an application or Amazon CLI scripts running on an Amazon EC2 instance. Don't use access keys directly in your application. Don't pass access keys to the application, embed them in the application, or let the application read access keys from any source. Instead, define an IAM role that has appropriate permissions for your application and launch the Amazon Elastic Compute Cloud (Amazon EC2) instance with roles for EC2. Doing this associates an IAM role with the Amazon EC2 instance. This practice also enables the application to get temporary security credentials that it can in turn use to make programmatic calls to Amazon. The Amazon SDKs and the Amazon Command Line Interface (Amazon CLI) can get temporary credentials from the role automatically.

  • You need to grant cross-account access. Use an IAM role to establish trust between accounts, and then grant users in one account limited permissions to access the trusted account. For more information, see IAM tutorial: Delegate access across Amazon accounts using IAM roles.

  • You have a mobile app. Don't embed access keys with the app, even in encrypted storage. Instead, use Amazon Cognito to manage user identities in your app. This service lets you authenticate users using Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)–compatible identity provider. You can then use the Amazon Cognito credentials provider to manage credentials that your app uses to make requests to Amazon.

  • You want to federate into Amazon and your organization supports SAML 2.0. If you work for an organization that has an identity provider that supports SAML 2.0, configure the provider to use SAML. You can use SAML to exchange authentication information with Amazon and get back a set of temporary security credentials. For more information, see SAML 2.0 federation.

  • You want to federate into Amazon and your organization has an on-premises identity store. If users can authenticate inside your organization, you can write an application that can issue them temporary security credentials for access to Amazon resources. For more information, see Enabling custom identity broker access to the Amazon console.

Note

Are you using an Amazon EC2 instance with an application that requires programmatic access to Amazon resources? If so, use IAM roles for EC2.

If you must create access keys for programmatic access to Amazon, create them for IAM users, granting the users only the permissions they require.

Observe these precautions to help protect IAM user access keys:

  • Don't embed access keys directly into code. The Amazon SDKs and the Amazon Command Line Tools enable you to put access keys in known locations so that you don't have to keep them in code.

    Put access keys in one of the following locations:

    • The Amazon credentials file. The Amazon SDKs and Amazon CLI automatically use the credentials that you store in the Amazon credentials file.

      For information about using the Amazon credentials file, see the documentation for your SDK. Examples include Set Amazon Credentials and Region in the Amazon SDK for Java Developer Guide and Configuration and credential files in the Amazon Command Line Interface User Guide.

      To store credentials for the Amazon SDK for .NET and the Amazon Tools for Windows PowerShell, we recommend that you use the SDK Store. For more information, see Using the SDK Store in the Amazon SDK for .NET Developer Guide.

    • Environment variables. On a multi-tenant system, choose user environment variables, not system environment variables.

      For more information about using environment variables to store credentials, see Environment Variables in the Amazon Command Line Interface User Guide.

  • Use different access keys for different applications. Do this so that you can isolate the permissions and revoke the access keys for individual applications if they are exposed. Having separate access keys for different applications also generates distinct entries in Amazon CloudTrail log files. This configuration makes it easier for you to determine which application performed specific actions.

  • Update access keys when needed. If there is a risk that the access key could be compromised, update the access key and delete the previous access key. For details, see Updating access keys

  • Remove unused access keys. If a user leaves your organization, remove the corresponding IAM user so that the user can no longer access your resources. To find out when an access key was last used, use the GetAccessKeyLastUsed API (Amazon CLI command: aws iam get-access-key-last-used).

  • Use temporary credentials and configure multi-factor authentication for your most sensitive API operations. With IAM policies, you can specify which API operations a user is allowed to call. In some cases, you might want the additional security of requiring users to be authenticated with Amazon MFA before you allow them to perform particularly sensitive actions. For example, you might have a policy that allows a user to perform the Amazon EC2 RunInstances, DescribeInstances, and StopInstances actions. But you might want to restrict a destructive action like TerminateInstances and ensure that users can perform that action only if they authenticate with an Amazon MFA device. For more information, see Configuring MFA-protected API access.

You can access a limited set of Amazon services and features using the Amazon mobile app. The mobile app helps you support incident response while on the go. For more information and to download the app, see Amazon Console Mobile Application.

You can sign in to the mobile app using your console password or your access keys. As a best practice, do not use root user access keys. Instead, we strongly recommend that in addition to using a password or biometric lock on your mobile device, you create an IAM user specifically for managing Amazon resources using the mobile app. If you lose your mobile device, you can remove the IAM user's access.

To sign in using access keys (mobile app)

  1. Open the app on your mobile device.

  2. If this is the first time that you're adding an identity to the device, choose Add an identity and then choose Access keys.

    If you have already signed in using another identity, choose the menu icon and choose Switch identity. Then choose Sign in as a different identity and then Access keys.

  3. On the Access keys page, enter your information:

    • Access key ID – Enter your access key ID.

    • Secret access key – Enter your secret access key.

    • Identity name – Enter the name of the identity that will appear in the mobile app. This does not need to match your IAM user name.

    • Identity PIN – Create a personal identification number (PIN) that you will use for future sign-ins.

      Note

      If you enable biometrics for the Amazon mobile app, you will be prompted to use your fingerprint or facial recognition for verification instead of the PIN. If the biometrics fail, you might be prompted for the PIN instead.

  4. Choose Verify and add keys.

    You can now access a select set of your resources using the mobile app.

The following topics provide guidance for setting up the Amazon SDKs and the Amazon CLI to use access keys:

Auditing access keys

You can review the Amazon access keys in your code to determine whether the keys are from an account that you own. You can pass an access key ID using the aws sts get-access-key-info Amazon CLI command or the GetAccessKeyInfo Amazon API operation.

The Amazon CLI and Amazon API operations return the ID of the Amazon Web Services account to which the access key belongs. Access key IDs beginning with AKIA are long-term credentials for an IAM user or an Amazon Web Services account root user. Access key IDs beginning with ASIA are temporary credentials that are created using Amazon STS operations. If the account in the response belongs to you, you can sign in as the root user and review your root user access keys. Then, you can pull a credentials report to learn which IAM user owns the keys. To learn who requested the temporary credentials for an ASIA access key, view the Amazon STS events in your CloudTrail logs.

For security purposes, you can review Amazon CloudTrail logs to learn who performed an action in Amazon. You can use the sts:SourceIdentity condition key in the role trust policy to require users to specify an identity when they assume a role. For example, you can require that IAM users specify their own user name as their source identity. This can help you determine which user performed a specific action in Amazon. For more information, see sts:SourceIdentity.

This operation does not indicate the state of the access key. The key might be active, inactive, or deleted. Active keys might not have permissions to perform an operation. Providing a deleted access key might return an error that the key doesn't exist.