AWS Access Keys Explained: Risks, Rotation, and Safer Alternatives

AWS access keys are long-lived credentials that let scripts, CLI tools, and applications authenticate to the AWS API. Each access key has two parts (an access key ID and a secret access key) that work together like a username and password. They are powerful, but they are also one of the most common sources of AWS security incidents. In most situations, IAM roles or temporary credentials are safer alternatives.

This page covers what access keys are, how they work under the hood, when they are the right choice, and when you should reach for something else.

Simple explanation

The access key ID is a 20-character string starting with AKIA (for permanent keys) or ASIA (for temporary credentials from STS). The secret access key is a 40-character string that AWS shows you exactly once, at creation time. If you lose the secret, there is no way to recover it. You must delete the key and create a new one.

Warning

The secret access key is shown only once. AWS does not store it and cannot retrieve it for you. Copy it immediately to a password manager or a secrets manager like AWS Secrets Manager before closing the creation dialog.

How access keys work

When you run an AWS CLI command or make an SDK call, the tool uses your secret access key to compute an HMAC-SHA256 signature over the request details: the action, timestamp, headers, and payload. This signature is sent along with your access key ID in the request headers. AWS looks up the secret associated with your key ID, computes the same signature, and compares the two. If they match, the request is authenticated.

The secret access key never travels over the network after creation. Every API call uses it locally to sign requests, and AWS verifies the signature on its end. This is why losing the secret means it is gone forever.

Access keys can belong to two types of identities:

  • IAM users (the common case). Each IAM user can have up to two access keys.
  • The root user (the account owner). Root keys exist but should never be created. They have unrestricted access to everything in the account and cannot be scoped down with policies.
Warning

Never create access keys for the root user. If root keys are compromised, the attacker has full, unrestricted control over the account. Use IAM users or IAM Identity Center for day-to-day access, and protect the root account with MFA only.

When to use access keys

Access keys are appropriate when your code runs outside of AWS and cannot use an IAM role:

  • Local development. Running CLI commands or scripts on your laptop where no instance profile or execution role is available. Even here, IAM Identity Center is often better if your organization supports it.
  • On-premises servers. Applications on physical servers or non-AWS virtual machines that need to call AWS APIs. Consider IAM Roles Anywhere as a newer alternative that provides temporary credentials to on-prem workloads.
  • Legacy integrations. Older tools or third-party services that only support static credentials and cannot use OIDC federation or role assumption.
  • Terraform or IaC running locally. Infrastructure-as-code tools on a developer machine, though named profiles with Identity Center are preferable when available.
Tip

If your workload genuinely runs outside AWS and temporary credential options are not available, access keys are a legitimate choice. Rotate them regularly and follow the principle of least privilege when assigning permissions to the associated IAM user.

When not to use access keys

If your workload runs inside AWS, there is almost always a role-based alternative that eliminates the need for long-lived keys. Embedding access keys in AWS-hosted applications adds risk with no benefit. For the full picture on why, see why long-lived access keys are dangerous.

  • EC2 instances. Use an IAM role attached through an instance profile. The SDK picks up temporary credentials automatically from the instance metadata service.
  • Lambda functions. Use an execution role. Lambda populates temporary credentials in the function’s environment automatically. There is no reason to embed access keys in Lambda code or environment variables.
  • ECS and Fargate tasks. Use a task role. The ECS agent provides temporary credentials to each container.
  • EKS pods. Use IAM Roles for Service Accounts (IRSA) or EKS Pod Identity to bind an IAM role to a Kubernetes service account.
  • GitHub Actions and CI/CD. Use OIDC federation to assume an IAM role directly, with no stored secrets. GitHub, GitLab, and most CI providers support this natively.
  • Cross-account access. Use role assumption instead of sharing access keys between accounts.
Warning

If you find access keys hardcoded in a Lambda function, ECS task definition, or EC2 user data script, treat it as a security finding. Replace the keys with the appropriate role type and rotate or delete the exposed keys immediately.

Access keys vs IAM roles vs IAM Identity Center vs IAM Roles Anywhere

Choosing the right credential type depends on where your code runs and what your organization supports.

OptionBest forProsDrawbacksDefault choice?
IAM roles (instance profiles, execution roles, task roles)Workloads inside AWS (EC2, Lambda, ECS, EKS)No credentials in code; auto-rotation; short-livedOnly works inside AWSYes, for all AWS-hosted workloads
IAM Identity Center (formerly AWS SSO)Developer CLI access; multi-account orgsTemporary credentials; central login; integrates with corporate IdPRequires AWS Organizations setupYes, for human access in orgs that use it
OIDC federationCI/CD (GitHub Actions, GitLab CI)No stored secrets; temporary credentials; fine-grained trustRequires trust policy setup per providerYes, for CI/CD pipelines
IAM Roles AnywhereOn-premises servers with X.509 certificatesTemporary credentials for non-AWS workloads; no long-lived keysRequires PKI infrastructure and certificate managementPreferred over access keys for on-prem when feasible
Access keys (long-lived)Local dev without Identity Center; legacy integrationsSimple to set up; works everywhereNever expire; must be rotated manually; high risk if leakedLast resort when other options are unavailable
Note

The recommendation hierarchy: use IAM roles for AWS workloads, IAM Identity Center for human access, OIDC federation for CI/CD, IAM Roles Anywhere for on-prem, and access keys only when none of those options work.

Creating access keys

Access keys are created for IAM users. You must have an IAM user before you can create one. You can do this through the IAM console, the CLI, or the API. For more on managing IAM resources from the command line, see managing IAM with the AWS CLI.

Via the AWS CLI

aws iam create-access-key --user-name alice

The response includes both the access key ID and the secret:

{
  "AccessKey": {
    "UserName": "alice",
    "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "Status": "Active",
    "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "CreateDate": "2026-03-15T10:00:00Z"
  }
}

Via the console

In the IAM console, navigate to Users, select the user, choose the Security credentials tab, and click Create access key. The console shows the secret key once. Download the CSV or copy both values before closing.

Configuring the AWS CLI

The most common use case for access keys is configuring the AWS CLI on a local machine. The aws configure command prompts for the key and stores it in ~/.aws/credentials:

aws configure
# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]: us-east-1
# Default output format [None]: json

This writes two files:

# ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# ~/.aws/config
[default]
region = us-east-1
output = json

Named profiles

If you work with multiple AWS accounts, use named profiles to keep credentials separate:

aws configure --profile staging
aws configure --profile production

Then target a specific account by passing the profile name:

aws s3 ls --profile production

You can also set the AWS_PROFILE environment variable to avoid passing —profile on every command:

export AWS_PROFILE=production
aws s3 ls

Environment variables

The CLI also reads credentials from environment variables, which override the credentials file:

export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
Note

Environment variables are common in CI/CD pipelines where you cannot write files to disk. Treat them as secrets: never log them and never include them in build output.

Managing access keys

List access keys

aws iam list-access-keys --user-name alice

This shows key IDs, status, and creation date, but never the secret. Use the IAM credential report to audit key age and last usage across all users:

aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 --decode
Tip

Run the credential report on a regular schedule (monthly at minimum). Look for keys older than 90 days and keys that have never been used. Stale, forgotten keys are one of the easiest attack vectors for an attacker who gains access to your environment.

Deactivate a key

aws iam update-access-key \
  --user-name alice \
  --access-key-id AKIAIOSFODNN7EXAMPLE \
  --status Inactive

Deactivating prevents a key from being used without deleting it permanently. This is useful when you suspect a key may be compromised but need time to investigate.

Delete a key

aws iam delete-access-key \
  --user-name alice \
  --access-key-id AKIAIOSFODNN7EXAMPLE
Note

Deleting a key is permanent and cannot be undone. If any application is still using that key, it will immediately lose access to AWS. Always deactivate first, wait, and only delete once you have confirmed nothing breaks.

How to rotate access keys safely

Because each IAM user can have two active access keys at a time, you can rotate without downtime. Follow this sequence:

  1. Create a new access key for the user while the old one is still active.
  2. Update all applications and scripts to use the new key.
  3. Verify the new key works by confirming successful API calls.
  4. Deactivate the old key. Do not delete it yet.
  5. Wait 24 to 48 hours to confirm nothing still relies on the old key.
  6. Delete the old key once you are confident it is no longer in use.
Tip

Access keys do not expire by default. AWS recommends rotating keys at least every 90 days. You can use the IAM credential report to identify stale keys. For secrets that applications retrieve at runtime, consider automatic rotation with Secrets Manager instead of manual key rotation.

What to do if an access key is exposed

If you discover that an access key has been committed to a public repository, posted in a message, or otherwise leaked, act immediately:

  1. Deactivate the key. Run aws iam update-access-key —status Inactive or use the console. Do this first, before anything else.
  2. Check CloudTrail. Review CloudTrail logs for unauthorized API calls made with the compromised key. Filter by access key ID to see exactly what was done.
  3. Assess the damage. Look at what resources the key had access to. Check for new IAM users, modified policies, launched instances, or unexpected data access. The guide on detecting suspicious activity covers what to look for.
  4. Create a replacement key if the application still needs one, and update all references.
  5. Delete the compromised key once all applications are updated.
  6. Remove the leaked copy. If the key was committed to Git, rewriting history may be necessary. If it was posted publicly, assume it has been scraped and act accordingly.
Warning

AWS actively scans public GitHub repositories for exposed access keys and may notify you or automatically quarantine the key. Do not wait for this notification. If you know a key is exposed, deactivate it immediately. Minutes matter.

Common mistakes

  1. Using access keys for workloads running inside AWS. If your code runs on EC2, Lambda, ECS, or EKS, it should use an IAM role. Embedding access keys in AWS-hosted applications adds risk with no benefit.
  2. Committing access keys to Git. This is one of the most common causes of AWS account compromise. Use .gitignore rules for credential files, and consider using git-secrets or similar pre-commit hooks to catch keys before they are pushed.
  3. Sharing one access key across multiple applications. If that key is compromised, every application that uses it is affected. Each application should have its own IAM user, or ideally its own role.
  4. Never rotating access keys. Keys do not expire by default. Set a rotation schedule and stick to it (90 days maximum).
  5. Keeping unused keys around. An access key that exists “just in case” is a credential an attacker can use. If a key is not actively in use, delete it.
  6. Creating root user access keys. Root access keys have unrestricted permissions that cannot be limited by IAM policies. Never create them. If root keys already exist, delete them and use IAM users or Identity Center instead.

Frequently asked questions

What is the difference between an access key ID and a secret access key?

The access key ID is a public identifier (like a username) that starts with AKIA for long-lived keys or ASIA for temporary ones. The secret access key is the private credential (like a password) used to sign requests. Both are required together to authenticate. The secret is shown only once at creation time and cannot be retrieved afterward.

Do IAM roles have access keys?

IAM roles do not have permanent access keys. When a role is assumed, AWS STS issues temporary credentials that include an access key ID, secret access key, and session token. These expire automatically, which is why roles are safer than long-lived access keys.

How many access keys can an IAM user have?

Each IAM user can have up to two access keys at a time. This limit exists so you can rotate keys without downtime. Create a new key, update your applications, verify, then delete the old key.

Should I use access keys or IAM Identity Center?

If your organization uses AWS Organizations, IAM Identity Center (formerly AWS SSO) is the better option. It provides temporary credentials through a central login, eliminates long-lived keys on developer machines, and integrates with corporate identity providers. Access keys make sense only when Identity Center is not available.

What should I do if I leaked an AWS access key?

Immediately deactivate the key in the IAM console or CLI. Then check CloudTrail for unauthorized activity using the key. Create a new key if the application still needs one, update all references, and delete the compromised key. If the key was committed to a public repository, treat the entire account as potentially compromised and audit thoroughly.

Last verified: 30 March 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.