AWS

Find & Remove AWS Credentials on Windows — Safe Guide

A friendly, practical walkthrough to locate AWS credentials on a Windows machine, remove them safely, and a secure alternative: use EC2 instance profiles (IAM roles).

Why this matters

Hard-coded or leftover AWS credentials on a machine risk accidental leaks or misuse. This page helps you locate common storage places, remove credentials you own, then lock things down with safer options.

Common places AWS credentials are stored on Windows

%USERPROFILE%\.aws\credentials — AWS CLI & SDK default credentials file (most common).
%USERPROFILE%\.aws\config — Named profiles and region settings.
Environment variables — AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN (user or system scope).
Windows Credential Manager — Some tools store generic credentials here.
IDE config / settings — VS Code settings.json, JetBrains credentials, or extension storage.
Application-specific files — Scripts, .env files, local config files, or build pipelines.
PowerShell profiles or modules — e.g., stored when using AWS Tools for PowerShell.

If you are not the owner of the machine or do not have permission, do not attempt to access another person's credentials. This guide assumes you're cleaning up your own environment.

Locating the usual suspects (quick)

Open PowerShell (as your user) and run the following commands to check the most common locations.

Check the default AWS files

type "$env:USERPROFILE\.aws\credentials"

Check environment variables (current shell)

Get-ChildItem Env: | Where-Object { $_.Name -match "^AWS_" }

Check Windows Credential Manager (manual)

Open Control Panel → User Accounts → Credential Manager → Windows Credentials / Generic Credentials and look for entries mentioning AWS, Amazon, or specific tool names.

Search common file patterns (recursive - use carefully)

Get-ChildItem -Path $env:USERPROFILE -Include *.env,credentials,*.config -Recurse -ErrorAction SilentlyContinue

Recursive searches can surface many unrelated files — scan results carefully and do not share credential files.

Safely removing credentials you own

Before deleting, consider making a secure backup (offline) if you may need to restore access. Only remove credentials you own or manage.

Remove the default credentials file

Remove-Item "$env:USERPROFILE\.aws\credentials" -Force -ErrorAction SilentlyContinue

Remove profile entries only (edit instead of delete)

You can open %USERPROFILE%\.aws\credentials in a text editor and remove the profile block(s) you no longer need.

Clear environment variables (current user)

[Environment]::SetEnvironmentVariable('AWS_ACCESS_KEY_ID',$null,'User')
[Environment]::SetEnvironmentVariable('AWS_SECRET_ACCESS_KEY',$null,'User')
[Environment]::SetEnvironmentVariable('AWS_SESSION_TOKEN',$null,'User')

Remove entries from Windows Credential Manager (manual)

Open Credential Manager, find the entry and choose Remove. Use this for any generic credential entries related to AWS tools.

Other places to check

IDE settings (VS Code → settings.json, JetBrains password storage)
Any .env files in projects
CI/CD agent folders (if you run local pipelines)

After removal, test access using a minimal command such as aws sts get-caller-identity to confirm credentials are gone (it should fail or require new authentication).

Better: don't store long-lived credentials on your Windows PC

Short summary of safer alternatives — pick the one that fits your workflow.

Use EC2 instance profiles (IAM roles)
Assign an IAM role to your EC2 instance so the instance can call AWS APIs without any static credentials on disk. The SDKs automatically retrieve temporary credentials from the instance metadata service.
AWS Systems Manager / Secrets Manager
Store secrets centrally and grant only services or roles the ability to retrieve them at runtime.
AWS SSO / IAM Identity Center
Use SSO for human access; avoids long-lived keys and integrates with CLI v2.
AWS CLI v2 with SSO or credential_process
Use short-lived sessions that refresh automatically instead of permanently stored keys.
Local tooling: aws-vault or aws-okta
These store encrypted credentials in the OS keystore and provide ephemeral sessions to reduce leak risk.

Note: when using EC2 instance profiles, do not place credentials on the instance. Use the role and rely on the metadata service. If you need to allow cross-account access, use IAM role assumptions.

Quick reference — PowerShell snippets

# Show credentials file
if (Test-Path "$env:USERPROFILE\.aws\credentials") { Get-Content "$env:USERPROFILE\.aws\credentials" }

# Remove credentials file
Remove-Item "$env:USERPROFILE\.aws\credentials" -Force -ErrorAction SilentlyContinue

# Clear environment variables (User scope)
[Environment]::SetEnvironmentVariable('AWS_ACCESS_KEY_ID',$null,'User')
[Environment]::SetEnvironmentVariable('AWS_SECRET_ACCESS_KEY',$null,'User')
[Environment]::SetEnvironmentVariable('AWS_SESSION_TOKEN',$null,'User')