Amazon access keys - Amazon SDKs and Tools
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon access keys

Use short-term credentials

We recommend configuring your SDK or tool to use IAM Identity Center authentication for your SDK or tool to use extended session duration options.

However, to set up the SDK or tool's temporary credentials directly, see Authenticate using short-term credentials.

Use long-term credentials

Warning

To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as Amazon IAM Identity Center.

Manage access across Amazon Web Services accounts

As a security best practice, we recommend using Amazon Organizations with IAM Identity Center to manage access across all your Amazon Web Services accounts. For more information, see Security best practices in IAM in the IAM User Guide.

You can create users in IAM Identity Center, use Microsoft Active Directory, use a SAML 2.0 identity provider (IdP), or individually federate your IdP to Amazon Web Services accounts. Using one of these approaches, you can provide a single sign-on experience for your users. You can also enforce multi-factor authentication (MFA) and use temporary credentials for Amazon Web Services account access. This differs from an IAM user, which is a long-term credential that can be shared and which might increase the security risk to your Amazon resources.

Create IAM users for sandbox environments only

If you're new to Amazon, you might create a test IAM user and then use it to run tutorials and explore what Amazon has to offer. It's okay to use this type of credential when you're learning, but we recommend that you avoid using it outside of a sandbox environment.

For the following use cases, it might make sense to get started with IAM users in Amazon:

  • Getting started with your Amazon SDK or tool and exploring Amazon Web Services services in a sandbox environment.

  • Running scheduled scripts, jobs, and other automated processes that don't support a human-attended sign-in process as part of your learning.

If you're using IAM users outside of these use cases, then transition to IAM Identity Center or federate your identity provider to Amazon Web Services accounts as soon as possible. For more information, see Identity federation in Amazon.

Secure IAM user access keys

You should rotate IAM user access keys regularly. Follow the guidance in Rotating access keys in the IAM User Guide. If you believe that you have accidentally shared your IAM user access keys, then rotate your access keys.

IAM user access keys should be stored in the shared Amazon credentials file on the local machine. Don't store the IAM user access keys in your code. Don't include configuration files that contain your IAM user access keys inside of any source code management software. External tools, such as the open source project git-secrets, can help you from inadvertently committing sensitive information to a Git repository. For more information, see IAM Identities (users, user groups, and roles) in the IAM User Guide.

To set up an IAM user to get started, see Authenticate using long-term credentials.