Amazon Elastic Compute Cloud
User Guide (API Version 2011-12-15)
AWS Documentation » Amazon EC2 » User Guide » Using Amazon EC2 » Amazon EC2 Credentials
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Amazon EC2 Credentials

Topics

Types of Credentials You Need

Amazon EC2 uses a variety of credentials for different purposes. This section describes major tasks you might perform with EC2 and the credentials required to perform them.

Credentials to Access Your Account

To sign up for services, view your bills, perform account-based tasks, and get many of your security credentials, you will need your standard Amazon login and password. For more information, see How to Log In with Your Amazon Login and Password.

[Note]Note

We also provide AWS Multi-Factor Authentication, which requires a physical device and passcode to login to your AWS account. For more information, go to http://aws.amazon.com/mfa.

Credentials to Launch and Administer Amazon EC2 Instances

The credentials you need to launch and administer instances depend on the interface you're using.

AWS Management Console

To launch and administer Amazon EC2 instances through the AWS Management Console, you only need the Amazon login and password. For more information, see How to Log In with Your Amazon Login and Password.

Query and Third-Party UI Tools

Launching and administering Amazon EC2 instances through the Query API and many UI-based tools (e.g., ElasticFox) requires the Access Key ID and Secret Access Key. For more information, see How to Get Your Access Key ID and Secret Access Key.

SOAP and EC2 Command Line Tools

Launching and administering Amazon EC2 instances through the SOAP API and command line interface (i.e., API tools) requires an X.509 certificate and private key, which can be generated by AWS. For more information, see How to Create an X.509 Certificate and Private Key.

Credentials to Connect to Amazon EC2 Instances

To connect to your instances, you need the following:

  • Amazon EC2 Key Pair—Enables you to connect to Linux/UNIX instances through SSH. For more information, see SSH Key Pair.

  • Windows administrator password (Windows only)—Provides the "first-use" password that enables you to connect to a Windows instance through Remote Desktop. For more information, see Windows Administrator Password.

Credentials Needed for Sharing with Others

To enable other AWS accounts to use your Amazon EC2 AMIs and Amazon EBS snapshots, you need their AWS Account IDs. For information on how to get the AWS Account ID associated with your account, see Viewing Your Account ID.

Credentials Needed for Bundling Amazon EC2 instance store-backed Instances

To bundle Amazon EC2 instance store-backed Linux/UNIX instances, you need your AWS Account ID, and your X.509 certificate and private key. For information about viewing your Account ID, see Viewing Your Account ID. For information about getting an X.509 certificate and private key, see How to Create an X.509 Certificate and Private Key.

To bundle Amazon EC2 instance store-backed Windows instances, you need your Amazon login and password to access the AWS Management Console. For information about the Amazon login and password, see How to Log In with Your Amazon Login and Password.

How to Log In with Your Amazon Login and Password

The Amazon login and password enable you to sign up for services, view your bills, perform account-based tasks, and get many of your security credentials. You also use the login and password to perform Amazon EC2 tasks through the AWS Management Console.

This section describes how to log in with your login and password.

To log in with your login and password (if you have an existing account)

  1. Go to the AWS Web Site.

  2. Select an option from the Your Account menu. The Amazon Web Services Sign In page appears.

  3. Enter your email address, select I am a returning user and my password is, enter your password, and click the Sign In button.

To get a new Amazon login and password (create a new AWS account)

  1. Go to the AWS Web Site.

  2. Click Create an AWS Account.

    The Amazon Web Services Sign In page appears.

  3. Select I am a new user and click the Sign In button.

  4. Follow the on-screen prompts to create a new account.

[Note]Note

It is important to keep your Amazon login and password secret as they can be used to view and create new credentials. As an increased security measure, we offer Multi-Factor Authentication, which uses the combination of a physical device and passcode to login to your AWS account. For more information, go to http://aws.amazon.com/mfa.

How to Get Your Access Key ID and Secret Access Key

The Access Key ID and Secret Access Key are the most commonly used set of AWS credentials. They are used to make Query and REST-based requests and are commonly used by UI-based tools, such as ElasticFox. You can use up to two sets of Access Keys at a time. You can generate new keys at any time or disable existing keys.

To get your Access Key ID and Secret Access Key

  1. Go to the AWS Web Site.

  2. Point to Your Account and select Security Credentials.

    If you are not already logged in, you are prompted to do so.

  3. Scroll down to the Access Credentials section and verify the Access Keys tab is selected.

  4. Locate an active Access Key in the Your Access Keys list.

  5. To display the Secret Access Key, click Show in the Secret Access Key column.

  6. Write down the keys or save them.

  7. If there are no Access Keys in the list, click Create a New Access Key and follow the on-screen prompts.

How to Create an X.509 Certificate and Private Key

The X.509 Certificate and Private Key are used by the command line tools and the SOAP API. You can download the private key file once. If you lose it, you will need to create a new certificate. Up to two certificates (active or inactive) are allowed at anytime.

This section describes how to create a new certificate.

To create a certificate

  1. Go to the AWS Web Site.

  2. Point to Your Account and select Security Credentials.

    If you are not already logged in, you are prompted to do so.

  3. Click the X.509 Certificates tab

  4. Click Create a New Certificate and follow the on-screen prompts.

    The new Certificate is created and appears in the X.509 Certificate list. You are prompted to download the certificate and private key files.

  5. Create a .ec2 directory in your home directory, and save these files to it with the filenames offered by your browser.

    You should end up with a PEM-encoded X.509 certificate and a private key file.

SSH Key Pair

You must create an RSA public/private key pair, which you use to ensure that only you have access to instances that you launch.

You have two options for getting this key pair:

  • Generate it yourself with a third-party tool such as OpenSSH, and then import the public key to AWS using either the ec2-import-keypair command or the ImportKeyPair action

  • Have AWS generate the key pair for you using the AWS Management Console, the ec2-add-keypair command, or the CreateKeyPair action

With either option, AWS doesn't store a copy of the private key. Amazon EC2 only stores the public key, and associates it with a friendly key pair name you specify. Whenever you launch an instance using the key pair name, the public key is copied to the instance metadata. This allows you to access the instance securely using your private key.

For information on how to create key pairs, see Getting an SSH Key Pair.

Windows Administrator Password

The Windows administrator password is used to access a Windows instance through Remote Desktop (RDP) for the first time only. If you change the password or rebundle the AMI, the instance will use the last set password. For information on how to get the Windows administrator password to connect to a Windows instance through RDP using the AWS Management Console, see Connecting to Windows Instances.

Viewing Your Account ID

The Account ID identifies your account to AWS and enables other accounts to access resources that you want to share, such as Amazon EC2 AMIs and Amazon EBS snapshots.

To view your Account ID

  1. Go to the AWS Web Site.

  2. Point to Your Account and select Security Credentials.

    If you are not already logged in, you are prompted to do so.

  3. Scroll down to the Account Identifiers section.

  4. Locate your AWS Account ID.

For information on how to share AMIs, see Sharing AMIs Safely. For information on how to share snapshots, see Modifying Snapshot Permissions.

[Note]Note

The Account ID number is not a secret. When granting access to resources, make sure to specify the Account ID without hyphens.

The canonical user ID is used by Amazon S3.

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...