- 最新
- 最多得票
- 最多評論
Access keys are long-term credentials for an IAM user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
As a best practice, use temporary security credentials (IAM roles) instead of access keys. Please refer to section "Use IAM roles instead of long-term access keys" in the following link for more details: https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
It is a matter of what kind of access is needed. AWS requires different types of security credentials depending on how you access AWS. For example, you need a user name and password to sign in to the AWS Management Console and you need access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.
Additionally, You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials.
Hope this helps.
AWS requires different types of security credentials depending on how you access AWS. The article understanding and getting your AWS credentials explains the various types of credentials and covers username/password and programmatic credentials.
None of the answers really address your question other than saying "it's best practice to use keys instead of username/password". The intuitive response to your actual question is that programmatic access can be more prone to a user mistakenly exposing their access credentials. If that were to happen, the "blast radius" of exposing keys is smaller than exposing the password. Why? Because the keys are only useful for accessing AWS whereas a username/password could potentially be used to access other accounts (even outside AWS) owned by the user — either directly or by social engineering.
相關內容
AWS 官方已更新 3 年前