AWS Security Blog

Where’s My Secret Access Key?

by Jim Scharf | on | in Best Practices, How-to guides | | Comments

In this blog post, I’ll discuss what you should do in case you’ve lost your secret access key or need a new one. This post assumes that you are familiar with what access keys are. If you aren’t, see the AWS documentation about security credentials for a brief summary.

Our security policy on secret access keys

Secret access keys are—as the name implies—secrets, like your password. For your own security, AWS doesn’t reveal your password to you if you forgot it (you’d have to set a new password). Similarly, AWS does not allow retrieval of a secret access key after its initial creation. This applies to both root secret access keys and AWS Identity and Access Management (IAM) user secret access keys.

As a security best practice, you should securely store your secret access keys (see our best practices guide to learn how). If you have lost your secret access key, you can always replace it by creating a new access key.

How to replace a lost secret access key

Follow these simple steps:

Step 1: Create a new access key, which includes a new secret access key.

  • To create a new secret access key for your root account, use the security credentials page. Expand the Access Keys section, and then click Create New Root Key.
  • To create a new secret access key for an IAM user, open the IAM console. Click Users in the Details pane, click the appropriate IAM user, and then click Create Access Key on the Security Credentials tab.

Note: If you already have the maximum of two access keys—active or inactive—you must delete one first before proceeding. If you need more than two root access keys, IAM users (each of whom can be assigned their own access keys) would probably better suit your requirements.

Step 2: Download the newly created credentials, when prompted to do so in the key creation wizard.

Step 3: Make your unused access keys inactive in case you need to roll back, and then delete them when you’re sure that they’re no longer needed (after you have confirmed that they are not in use by any of your applications). The access key last used feature can help you validate if keys are still in use.

Note: Access keys in an “Inactive” state still count toward your maximum of two access keys at any given time.

A security suggestion

Remember IAM Best Practices: you should lock away your AWS root account credentials and use IAM users instead. You can create an IAM user that can do nearly anything that a root account can. The benefit of IAM is that you can control the permissions of an IAM user, or delete the user altogether, at any time. Therefore, we recommend that you use IAM users for everyday AWS activity, regardless of whether you access AWS via the console, APIs, CLI, or SDKs.

– Jim