There are different types of security credentials based on how we interact with AWS - Management Console or tools such as CLI or SDKs.
Signon Credentials: Email and Password
Email and password created during signup are used to login to pages such as the AWS Management Console, AWS discussion forums, or AWS support center.
Root credentials have full access to all resources in the account. Therefore it is good to also setup AWS Multi-Factor Authentication (MFA).
With AWS MFA enabled, when you sign in, you are also prompted an authentication code from an MFA device (e.g. dedicated device or a smart phone).
MFA is not enabled by default. It can be enabled and managed for AWS root account from the Security Credentials page or the IAM dashboard.
MFA can also be enabled for IAM users.
You can change the email address and password on the Security Credentials page. You have also a ‘Forgot your password’ option.
Access credentials are used along with APIs and tools. Access credentials include access keys and key pairs.
Access keys consist of an access key ID and a secret access key, that can be used to sign programmatic requests that you make to AWS through AWS SDKs, REST, or Query APIs etc., or from the CLI.
Temporary Access Keys
You can also create and use temporary access keys using Security Token Service (STS), which are short-term temporary security credentials.
Key pairs are used only for handful of services such as Amazon EC2 and Amazon CloudFront.
Key pairs consist of a public key and a private key. The private key is used to create a digital signature, and AWS can then use the corresponding public key to validate the signature.
IAM user identities
When multiple individuals or applications need access to the AWS account, AWS Identity and Access Management (IAM) should be used to create unique IAM user identities.
It is a good practice not to use the root credentials, but create IAM users with just enough permissions as required.
Read more about IAM users @ http://docs.aws.amazon.com/IAM/latest/UserGuide/id.html.