AWS requires different types of security credentials, depending on how you access AWS and what type of AWS user you are. For example, you need a user name and password to sign in to the AWS Management Console, and you need access keys to make programmatic calls to AWS. Also, you can be an account root user, an AWS Identity and Access Management (IAM) user, an AWS IAM Identity Center (successor to AWS Single Sign-On) user, or a federated identity. Show We strongly recommend that you do not use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials. You can access AWS using the following methods. AWS Management Console sign-in pageRoot and IAM users sign in through the AWS Management Console. The AWS Management Console provides a web-based user interface that you can use to create and manage your AWS resources. To sign in as a root user You need the email address used to create the AWS account and the password for the root user. For more information see Signing in as the root user in the AWS Sign-In User Guide. To sign in as an IAM user The account owner provides you with the account ID or alias, your user name, and your password. For more information, see Signing in as an IAM user in the AWS Sign-In User Guide. For troubleshooting information, see Troubleshooting sign-in issues in the AWS Sign-In User Guide. AWS access portal sign-in pageIAM Identity Center users sign in through the AWS access portal rather than the AWS Management Console. After you sign in through the AWS access portal, you can access your AWS account and applications. You can access cloud applications such as Office 365, Concur, and Salesforce through the AWS access portal. For more information, see the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide. To sign in, you need a sign-in URL, user name, and password. Your administrator or help desk employee provides you with this information. Alternatively, if you created an IAM Identity Center user for your AWS account, you received an email invitation with the specific sign-in URL. To sign in using the AWS access portal For step-by-step directions, see Signing in to the AWS access portal in the AWS Sign-In User Guide. Federated identityFederated identities are users that can access secure AWS account resources with external identities. External identities can come from a corporate identity store (such as LDAP or Windows Active Directory) or from a third party (such as Login in with Amazon, Facebook, or Google). Federated identities do not sign in with the AWS Management Console or AWS access portal. The type of external identity in use determines how federated identities sign in. For more information about federated identities, see About web identity federation in the IAM User Guide. Administrators must create a custom URL that includes https://signin.aws.amazon.com/federation. For more information, see Enabling custom identity broker access to the AWS Management Console. Your administrator creates federated identities. Contact your administrator for more details about how to sign in using a federated identity. Multi-factor authentication (MFA)Multi-factor authentication (MFA) provides an extra level of security for users who can access your AWS account. For additional security, we recommend that you require MFA on the AWS account root user credentials and all IAM users. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide. When you activate MFA and you sign in to your AWS account, you are prompted for your user name and password, plus a response generated by an MFA device, such as a code, a touch or tap, or a biometric scan. When you add MFA, your AWS account settings and resources are more secure. By default, MFA isn't activated. You can activate and manage MFA devices for the AWS account root user by going to the Security credentials page or the IAM dashboard in the AWS Management Console. For more information about activating MFA for IAM users, see Enabling MFA Devices in the IAM User Guide. For more information about signing in with multi-factor authentication (MFA) devices, see Using MFA devices with your IAM sign-in page. Programmatic accessWhen you use AWS programmatically, you provide your AWS access keys so that AWS can verify your identity in programmatic calls. Access keys can be either temporary (short-term) credentials or long-term credentials, such as for an IAM user or the AWS account root user. Access keysYou provide your AWS access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell. When you create a long-term access key, you create the access key ID (for example, AKIAIOSFODNN7EXAMPLE) and secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) as a set. The secret access key is available for download only when you create it. If you don't download your secret access key or if you lose it, you must create a new one. In many scenarios, you don't need long-term access keys that never expire (as you have with an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials include an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire. After they expire, they're no longer valid. For more information, see Temporary access keys. Access key IDs beginning with AKIA are long-term access keys for an IAM user or an AWS account root user. Access key IDs beginning with ASIA are temporary credentials access keys that you create using AWS STS operations. Temporary access keysYou can create and use temporary access keys, known as temporary security credentials, for programmatic access requests. We recommend that you use temporary access keys over long term access keys, as mentioned in the previous section. For more information, see Using temporary credentials with AWS resources in the IAM User Guide and Use temporary security credentials in the AWS Account Management Reference Guide. You can use temporary access keys in less secure environments, or distribute them, to grant users temporary access to resources in your AWS account. For example, you can grant entities from other AWS accounts access to resources in your AWS account (cross-account access). You can also grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see aws sts assume-role. Long-term access keysYou can assign up to two long-term access keys per user. It is useful to have two access keys when you want to rotate them. When you disable an access key, you can't use it, but it counts toward your limit of two access keys. After you delete an access key, it's gone forever and can't be restored, but it can be replaced with a new access key. Unless there is no other option, we strongly recommend that you don't create long-term access keys for your root user. If a malicious user gains access to your root user access keys, they can completely take over your account. Create long-term access keysThe procedures to create long-term access keys depend on whether you are the AWS account root user or an IAM user. To create access keys for the AWS account root user Follow the step-by-step directions in Creating and deleting access keys for the AWS account root user in the AWS Account Management Reference Guide. To create access keys for IAM users Follow the step-by-step directions in Managing access keys for IAM users in the IAM User Guide. Considerations and alternatives for long-term access keysFor many common use cases, there are alternatives to long-term access keys. To improve your account security, consider the following.
|