How To Download Keys
Cyndi Barca
Because you use a physical key instead of the six-digit code, security keys strengthen the two-factor authentication process and help prevent your second authentication factor from being intercepted or requested by an attacker.
Keep your security keys in a safe place, and consider keeping a security key in more than one place. For example, keep one key at home and one key at work. If you're traveling, you might want to leave one of your security keys at home.
To stop using security keys: Open the Settings app, tap your name, then tap Sign-in & Security. Tap Two-Factor Authentication, tap Security Keys, then tap Remove All Security Keys. If you remove all security keys, your Apple ID reverts to using the six-digit verification code for two-factor authentication.
To stop using security keys: Open System Settings, click your name, then click Sign-in & Security. Click Two-Factor Authentication, click Security Keys, then click Remove All Security Keys. If you remove all security keys, your Apple ID reverts to using the six-digit verification code for two-factor authentication.
When you generate an SSH key, you can add a passphrase to further secure the key. Whenever you use the key, you must enter the passphrase. If your key has a passphrase and you don't want to enter the passphrase every time you use the key, you can add your key to the SSH agent. The SSH agent manages your SSH keys and remembers your passphrase.
RSA keys (ssh-rsa) with a valid_after before November 2, 2021 may continue to use any signature algorithm. RSA keys generated after that date must use a SHA-2 signature algorithm. Some older clients may need to be upgraded in order to use SHA-2 signatures.
When you're prompted to "Enter a file in which to save the key", you can press Enter to accept the default file location. Please note that if you created SSH keys previously, ssh-keygen may ask you to rewrite another key, in which case we recommend creating a custom-named SSH key. To do so, type the default file location and replace id_ALGORITHM with your custom key name.
Before adding a new SSH key to the ssh-agent to manage your keys, you should have checked for existing SSH keys and generated a new SSH key. When adding your SSH key to the agent, use the default macOS ssh-add command, and not an application installed by macports, homebrew, or some other external source.
As a best practice, use temporary security credentials (such as IAM roles) instead of creating long-term credentials like access keys. Before creating access keys, review the alternatives to long-term access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). For more information, see Signing AWS API requests.
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You must use both the access key ID and secret access key together to authenticate your requests.
When you create an access key pair, save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must delete the access key and create a new one. For more details, see Resetting lost or forgotten passwords or access keys for AWS.
Manage your access keys securely. Do not provide your access keys to unauthorized parties, even to help find your account identifiers. By doing this, you might give someone permanent access to your account.
(Optional) Set a description tag value for the access key. This adds a tag key-value pair to your IAM user. This can help you identify and update access keys later. The tag key is set to the access key id. The tag value is set to the access key description that you specify. When you are finished, choose Create access key.
On the Retrieve access keys page, choose either Show to reveal the value of your user's secret access key, or Download .csv file. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, choose Done.
In the Access keys section find the key you want to deactivate, then choose Actions, then choose Deactivate. When prompted for confirmation, choose Deactivate. A deactivated access key still counts toward your limit of two access keys.
In the Access keys section, find the key you want to delete, then choose Actions, then choose Delete. Follow the instructions in the dialog to first Deactivate and then confirm the deletion. We recommend that you verify that the access key is no longer in use before you permanently delete it.
To create an access key, choose Create access key. If the button is deactivated, then you must delete one of the existing keys before you can create a new one. On the Access key best practices & alternatives page, review the best practices and alternatives. Choose your use case to learn about additional options which can help you avoid creating a long-term access key. If you determine that your use case still requires an access key, choose Other and then choose Next. On the Retrieve access key page, choose Show to reveal the value of your user's secret access key. To save the access key ID and secret access key to a .csv file to a secure location on your computer, choose the Download .csv file button. When you create an access key for your user, that key pair is active by default, and your user can use the pair right away.
As a security best practice, we recommend that you update IAM user access keys when needed, such as when an employee leaves your company. IAM users can update their own access keys if they have been granted the necessary permissions.
For details about granting IAM users permissions to update their own access keys, see AWS: Allows IAM users to manage their own password, access keys, and SSH public keys on the My security credentials page. You can also apply a password policy to your account to require that all of your IAM users periodically update their passwords and how often they must do so. For more information, see Setting an account password policy for IAM users.
(Optional) Set a description tag value for the access key to add a tag key-value pair to this IAM user. This can help you identify and update access keys later. The tag key is set to the access key id. The tag value is set to the access key description that you specify. When you are finished, choose Create access key.
In the Access keys section for the access key you want to delete, choose Actions, and then choose Delete. Follow the instructions in the dialog to first Deactivate and then confirm the deletion.
The Access key age column shows the number of days since the oldest active access key was created. You can use this information to find users with access keys that might need to be updated or deleted. The column displays None for users with no access key.
Anyone who has your access keys has the same level of access to your AWS resources that you do. Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well.
One of the best ways to protect your account is to not have access keys for your AWS account root user. Unless you must have root user access keys (which is rare), it is best not to generate them. Instead, create an administrative user in AWS IAM Identity Center for daily administrative tasks.For information about how to create an administrative user in IAM Identity Center, see Getting started in the IAM Identity Center User Guide.
If you already have root user access keys for your account, we recommend the following: Find places in your applications where you are currently using access keys (if any), and replace the root user access keys with IAM user access keys. Then disable and remove the root user access keys. For more information about how to update access keys, see Updating access keys
In many scenarios, you don't need long-term access keys that never expire (as you have with an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials consist of an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire.
Long-term access keys, such as those associated with IAM users and the root user, remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time. Use temporary security credentials to help reduce your risk in case credentials are accidentally exposed.
You have an application or AWS CLI scripts running on an Amazon EC2 instance. Don't use access keys directly in your application. Don't pass access keys to the application, embed them in the application, or let the application read access keys from any source. Instead, define an IAM role that has appropriate permissions for your application and launch the Amazon Elastic Compute Cloud (Amazon EC2) instance with roles for EC2. Doing this associates an IAM role with the Amazon EC2 instance. This practice also enables the application to get temporary security credentials that it can in turn use to make programmatic calls to AWS. The AWS SDKs and the AWS Command Line Interface (AWS CLI) can get temporary credentials from the role automatically.
760c119bf3