When you use AWS programmatically, you provide your AWS access keys so that AWS can verify your identity in programmatic calls. Your access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Show Anyone who has your access keys has the same level of access to your AWS resources that you do. Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well. The steps that follow can help you protect your access keys. For background information, see AWS security credentials. Your organization may have different security requirements and policies than those described in this topic. The suggestions provided here are intended as general guidelines. Protect or don't create your root user access keyYou must use an access key (access key ID plus secret access key) to make programmatic requests to AWS. For example, when using the AWS Command Line Interface, an AWS SDK, or direct API calls. Anyone who has the access keys for your AWS account root user has unrestricted access to all resources in your AWS account, including billing information. You can't reduce the permissions associated with the access key for the AWS account root user. For more information, see Lock away your AWS account root user access keys in the IAM User Guide. Manage access keys for IAM usersInstead of sharing the credentials of the AWS account root user, create individual IAM users, granting each user only the permissions they require. For more information, see Managing Access Keys for IAM Users in the IAM User Guide. Observe these precautions when using access keys:
Use IAM roles instead of long-term access keysIn many scenarios, you don't need long-term access keys that never expire (as you have with an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials consist of an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire. Long-term access keys, such as those associated with IAM users and AWS account root users, remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time. Use temporary security credentials to help reduce your risk in case credentials are accidentally exposed. Use an IAM role and temporary security credentials in these scenarios:
Access the mobile app using AWS access keysYou can access a limited set of AWS services and features using the AWS mobile app. The mobile app helps you support incident response while on the go. For more information and to download the app, see AWS Console Mobile Application. You can sign in to the mobile app using your console password or your access keys. As a best practice, do not use root user access keys. Instead, we strongly recommend that in addition to using a password or biometric lock on your mobile device, you create an IAM user to manage AWS resources. If you lose your mobile device, you can remove the IAM user's access. For more information about generating access keys for an IAM user, see Managing Access Keys for IAM Users in the IAM User Guide. To sign in using access keys (mobile app)
Learn moreFor more information about best practices for keeping your AWS account secure, see the following resources: |