MFA, Access Keys, and Temporary Credentials
Learn how Console, CLI, and SDK authentication works and how to choose the safest credential method for each.
All services used in this lesson are covered by the AWS Free Tier.
AWS Services Used
How credentials work in AWS
Console sign-in usually features a password and MFA. Programmatic access uses either long-term access keys or preferred, temporary credentials.
Three ways people authenticate in AWS
| Method | Used for | Expires? | AWS guidance |
|---|---|---|---|
| Password + MFA | Console sign-in for humans | Session-based | Always enable MFA on human accounts |
| Access keys | Programmatic access via CLI and SDK | Never — must be rotated manually | Avoid where possible; high risk if leaked or forgotten |
| Temporary credentials | Roles, federation, workloads | Yes — automatically | Strongly preferred by the AWS Well-Architected Security pillar |
What to use when
| Context | Use this | Why it's safer | Avoid |
|---|---|---|---|
| AWS Console (human) | Password + MFA | Strong second factor on every sign-in | Using root for daily tasks |
| AWS CLI (human) | IAM Identity Center (SSO) profile | Delivers temporary credentials — no long-term keys on disk | Storing permanent access keys in ~/.aws/credentials |
| App code running on AWS | IAM role attached to the service | Temporary credentials injected automatically, nothing to store | Hardcoded keys in source code or config files |
| App code running outside AWS | Federation or short-lived credentials | Limits blast radius if credentials are leaked | Shipping long-term keys to user devices or CI environments |
Tip
Whenever you have a choice, pick temporary credentials. They expire on their own — so a leaked credential has a limited window of harm.
AWS CLI the modern way: Identity Center and single sign-on
AWS CLI can be configured to authenticate with IAM Identity Center so it retrieves credentials without you managing long-term keys.
SSO setup and login flow
0 / 3 completedIf you must use access keys
Sometimes you will encounter situations where access keys are still used. If that happens:
Hard rules — no exceptions
- Do not create access keys for the root user
- Do not put access keys in application code or commit them to a repository
- Do not share access keys between people — each identity must have its own credentials
When you have no choice
Apply all of these — not just some:
- Grant the minimum permissions required, nothing broader (least privilege)
- Prefer temporary credentials wherever you can substitute them
- If a key is exposed: deactivate it immediately, issue a replacement, and review CloudTrail for unauthorized activity
Micro-activity 1: Pick the right credential method
Micro-activity 2: Build your "learning account access plan"
Fill this out before doing any AWS labs. Your answers are saved in your browser.
Summary
- MFA is a best practice for securing interactive access
- AWS recommends temporary credentials (roles, federation) over long-term access keys when possible
- Root access keys are strongly discouraged
- IAM Identity Center can configure AWS CLI authentication so the CLI retrieves credentials without you managing long-term keys