Amazon security credentials - Amazon Identity and Access Management
Security considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon security credentials

When you interact with Amazon, you specify your Amazon security credentials to verify who you are and whether you have permission to access the resources that you are requesting. Amazon uses the security credentials to authenticate and authorize your requests.

For example, if you want to download a protected file from an Amazon Simple Storage Service (Amazon S3) bucket, your credentials must allow that access. If your credentials don't show you are authorized to download the file, Amazon denies your request. However, your Amazon security credentials aren't required for you to download a file in an Amazon S3 bucket that is publicly shared.

There are different types of users in Amazon, each with their own security credentials:

  • Account owner (root user) — The user who created the Amazon Web Services account and has full access.

  • Amazon IAM Identity Center users — Users managed in Amazon IAM Identity Center.

  • Federated users — Users from external identity providers who are granted temporary access to Amazon through federation. For more information about federated identities, see Identity providers and federation.

  • IAM users — Individual users created within the Amazon Identity and Access Management (IAM) service.

Users have either long-term or temporary security credentials. Root user, IAM user, and access keys have long-term security credentials that do not expire. To protect long-term credentials have processes in place to manage access keys, change passwords, and enable MFA. For more information, see Security best practices and use cases in Amazon Identity and Access Management.

IAM roles, users in Amazon IAM Identity Center, and federated users have temporary security credentials. Temporary security credentials expire after a defined period of time or when the user ends their session. Temporary credentials work almost identically to long-term credentials, with the following differences:

  • Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, Amazon no longer recognizes them or allows any kind of access from API requests made with them.

  • Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.

As a result, temporary credentials have the following advantages over long-term credentials:

  • You do not have to distribute or embed long-term Amazon security credentials with an application.

  • You can provide access to your Amazon resources to users without having to define an Amazon identity for them. Temporary credentials are the basis for roles and identity federation.

  • The temporary security credentials have a limited lifetime, so you do not have to update them or explicitly revoke them when they're no longer needed. After temporary security credentials expire, they cannot be reused. You can specify how long the credentials are valid, up to a maximum limit.

Security considerations

We recommend that you consider the following information when determining the security provisions for your Amazon Web Services account:

  • When you create an Amazon Web Services account, we create the account root user. The credentials of the root user (account owner) allow full access to all resources in the account. The first task you perform with the root user is to grant another user administrative permissions to your Amazon Web Services account so that you minimize the usage of the root user.

  • Multi-factor authentication (MFA) provides an extra level of security for users who can access your Amazon Web Services account. For additional security, we recommend that you require MFA on the Amazon Web Services account root user credentials and all IAM users. For more information, see Amazon Multi-factor authentication in IAM.

  • Amazon requires different types of security credentials, depending on how you access Amazon and what type of Amazon user you are. For example, you use sign-in credentials for the Amazon Web Services Management Console while you use access keys to make programmatic calls to Amazon. For help determining your user type and sign-in page, see What is Amazon Sign-In in the Amazon Sign-In User Guide.

  • You can't use IAM policies to deny the root user access to resources explicitly. You can only use an Amazon Organizations service control policy (SCP) to limit the permissions of the root user.

  • If you forget or lose your root user password, you must have access to the email address associated with your account in order to reset it.

  • If you lose your root user access keys, you must be able to sign in to your account as the root user to create new ones.

  • Do not use the root user for your everyday tasks. Use it to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials.

  • Security credentials are account-specific. If you have access to multiple Amazon Web Services accounts, you have separate credentials for each account.

  • Policies determine what actions a user, role, or member of a user group can perform, on which Amazon resources, and under what conditions. Using policies you can securely control access to Amazon Web Services services and resources in your Amazon Web Services account. If you must modify or revoke permissions in response to a security event, you delete or modify the policies instead of making changes directly to the identity.

  • Be sure to save the sign-in credentials for your Emergency Access IAM user and any access keys you created for programmatic access in a secure location. If you lose your access keys, you must sign in to your account to create new ones.

  • We strongly recommend that you use temporary credentials provided by IAM roles and federated users instead of the long-term credentials provided by IAM users and access keys.