AWS Identity and Access Management (IAM) lets you manage several types of long-term security credentials for IAM users:
- Passwords – Used to sign in to secure AWS pages, such as the AWS Management Console and the AWS Discussion Forums.
- Access keys – Used to make programmatic calls to AWS from the AWS APIs, AWS CLI, AWS SDKs, or AWS Tools for Windows PowerShell.
- Amazon CloudFront key pairs – Used for CloudFront to create signed URLs.
- SSH public keys – Used to authenticate to AWS CodeCommit repositories.
- X.509 certificates – Used to make secure SOAP-protocol requests to some AWS services.
You can assign AWS security credentials to your IAM users by using the API, CLI, or AWS Management Console. You can rotate or revoke these credentials whenever you want.
In addition to managing these user credentials, you can further enhance the security of IAM user access to AWS by enforcing the use of multi-factor authentication (MFA).
For more information about using long-term security credentials in AWS, see About AWS Security Credentials.
Temporary security credentials
IAM also lets you grant users temporary security credentials with a defined expiration for access to your AWS resources. For example, temporary access is useful when:
- Creating a mobile app with third-party sign-in.
- Creating a mobile app with custom authentication.
- Using your organization's authentication system to grant access to AWS resources.
- Using your organization's authentication system and SAML to grant access to AWS resources.
- Using web-based Single Sign-On (SSO) to the AWS Management Console.
- Delegating API access to third parties to access resources in your account or in another account you own.
For more information on temporary security credentials, see the Using Temporary Security Credentials guide.