AWS Access Keys

In order to connect to the AWS API to make certain required configuration changes, the AWS VPC Wizard requires Access Keys to retrieve and modify VPC configurations.

See also

Find more information about AWS Security Credential, including Access Keys by reading AWS Security Credentials.

Access keys consist of two parts:

  1. An access key ID

    • For example, AKIAIOSFODNN7EXAMPLE.

  2. A secret access key

    • For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.

Access keys are like a username/password and needed for programmatic requests to AWS, including the AWS VPC Wizard. Use both the access key ID and secret access key together to authenticate requests.

Important

Manage access keys as securely as a user name and password.

Managing Access Keys

To create, modify, or delete IAM user access keys, do the following:

  1. Sign in to the IAM console.

  2. In the navigation bar on the upper right, choose a user name, and then choose My Security Credentials.

  3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, choose Create access key.

  4. Choose Download .csv file to save the access key ID and secret access key to a .csv file on the client computer. Store the file in a secure location. There is no access to the secret access key again after this dialog box closes. After the .csv file has been downloaded, choose Close. When an access key is created, the key pair is active by default, and the pair can be used right away.

    • To disable an active access key, choose Make inactive.

    • To reenable an inactive access key, choose Make active.

    • To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When an access key is deleted, it’s gone forever and cannot be retrieved. However, new keys can always be created.

To create, modify, or delete another IAM user’s access keys, do the following:

  1. Sign in to the IAM console.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose access keys to manage, and then choose the Security credentials tab.

  4. In the Access keys section, choose Create access key.

  5. Choose Download .csv file to save the access key ID and secret access key to a CSV file on your computer.

Rotating Access Keys

As a security best practice, regularly rotate (change) IAM user access keys. Rotating access keys can be done from the AWS Management Console.

To rotate access keys for an IAM user without interrupting the applications (console), create a second access key while the first access key is still active:

  1. Sign in to the IAM console.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose access keys to manage, and then choose the Security credentials tab.

  4. In the Access keys section, choose Create access key.

  5. Choose Download .csv file to save the access key ID and secret access key to a CSV file on the client computer.

  6. The new access key is active by default. At this point, the user has two active access keys.

After waiting some period of time to ensure that all applications and tools have been updated, delete the first access key:

  1. Sign in to the IAM console.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose access keys to manage, and then choose the Security credentials tab.

  4. Locate the access key to delete and choose its X button at the far right of the row. Then choose Delete to confirm.

Determining When Access Keys Need Rotating

To determine when access keys need rotating (console), do the following:

  1. Sign in to the IAM console.

  2. In the navigation pane, choose Users.

  3. If necessary, add the Access key age column to the users table by completing the following steps:

    1. Above the table on the far right, click the settings icon.

    2. In Manage columns, select Access key age.

    3. Choose Close to return to the list of users.

  4. The Access key age column shows the number of days since the oldest active access key was created. Use this information to find users with access keys that need rotating. The column displays None for users with no access key.