Module 2: Secure Your AWS Account

Sign in to the AWS Management Console.

Select Root user and enter the email address you specified when you created your account and then choose Next.

You might be prompted to complete a security check. Type the characters in the image in the space provided and then choose Submit. You must complete this check to move to the next step.

Tip: Select the Sound button to hear a set of number and letter to type instead of the ones in the image. Select the Refresh button to change the image if you can’t discern the characters in the original image.

Enter your password and choose Sign in.

Congratulations, you have just signed in to the AWS Management Console as your root user. But you don’t want to use your root user for everyday tasks. The root user should only be used for specific account management tasks. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials. To help keep your root user credentials secure, we strongly recommend that you enable multi-factor authentication (MFA) for your root user sign-in. When you do that, in addition to providing the email address and password for the root user you will also provide credentials from another authenticator, making it much more difficult for someone to use your root user credentials without your permission.

When you're ready to start, sign in to your newly created AWS account using the root user credentials as explained in the previous step.

After signing-in, the AWS Management Console opens. In the search bar, enter IAM, and then select IAM. The IAM dashboard opens.

Under Security recommendations, there is a notice to Add MFA for root user.
Choose Add MFA. Then on the next screen, choose Activate MFA.

Now, you need to choose between the available MFA options:

• Virtual MFA device
• Security key
• Other hardware MFA device

For details about each of the options, see Multi-Factor Authentication. 

If you're not sure which option to use, choose Virtual MFA device and install one of the apps available for your mobile phone. Take note of how the authenticator app you chose handles backups, because you might need to set up the app on a different phone at a later date. 

Once you have selected the type of MFA device, choose Continue. The next screen provides the steps required to connect the device to your account. When everything is ready, choose Assign MFA.

Your root user credentials are now more secure. The next time you sign-in using the root user credentials you will provide the credentials from your MFA device as well as your email address and password.

Navigate to the IAM Identity Center (successor to AWS Single Sign-On) console. Then, under Enable IAM Identity Center, choose Enable.

AWS Organizations is a feature of your AWS account offered at no additional charge.
AWS Organizations automatically sends a verification email to the address that is associated with your management account. There might be a delay before you receive the verification email. Make sure you verify your email address within 24 hours.

Navigate to the IAM Identity Center console, and choose Users. Then, select Add user.

• Username – The user name is used to sign in to the AWS access portal and can't be changed later. Choose a name that will be easy to remember.
• Password – Choose one of the following password generation methods:
  • (Default) Send an email to this user with password setup instructions (Recommended) This option sends the user an email addressed from Amazon Web Services, with the subject line Invitation to join IAM Identity Center (successor to AWS Single Sign-On). 
    • The email will come from either no-reply@signin.aws or no-reply@login.awsapps.com. Add these email addresses to your approved senders list so that they are not treated as junk or spam.
  • Generate a one-time password that you can share with this user This option provides you with the AWS access portal URL and password details that you can manually send to the user from your email address.
    

• Email address – Enter a unique email address for the user. Then, enter it again to confirm it.
• First name – Enter the first name for the user.
• Last name – Enter the last name for the user
• Display name – Enter the name that will be displayed in the sign-in portal and users list.
• Complete the optional information if desired. It isn’t used during this tutorial and can be added later.
• Select Next.
  

Create a group and add the user to the group. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Select Create group to open the Create group page.

Under Group details, in Group name, enter Admins.

Select Create group.

Permission sets define the level of access that IAM Identity Center users and groups have to an AWS account. We will still be using the root user credentials for this procedure.

Navigate to the IAM Identity Center console, under Multi-account permissions, choose Permission sets.

Choose Create permission set to start the permission set workflow.

• For Step 1: On the Select permission set type page, keep the default settings, and choose Next.
  • The default settings grant full access to AWS services and resources using the AdministratorAccess predefined permission set.
  • Note: The predefined AdministratorAccess permission set uses the AdministratorAccess AWS managed policy.
    
• For Step 2: On the Specify permission set details page, keep the default settings, and choose Next.
  • The default setting limit creates a permission set named AdministratorAccess with session duration set to one hour.
    
• For Step 3: On the Review and create page, perform the following reviews:
  i. Review the permission set type and verify that it is AdministratorAccess.
  ii. Review the AWS managed policy and confirm that it is AdministratorAccess.
• Then, choose Create.
  

• For Step 1: On the Assign users and groups to AWS account-name page, choose the Groups tab, select the Admins group then select Next.
• For Step 2: On the Assign permission sets to AWS account-name page, under Permission sets, select the AdministratorAccess permission set, and then select Next.
• For Step 3: On the Review and submit assignments to AWS account-name page, review the selected user and permission set. After you confirm that the Admins group is assigned to the AdministratorAccess permission set, select Submit.

Important: The permission assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.

Now you are ready to sign in using your new administrative user. If you tried to sign in previously you would have only been able to establish your password and enable up multi-factor authentication (MFA) for your user, because no other permissions had been granted to the user. Now, the user will have full permissions to your AWS resources, but they will still need to configure a password and set up MFA, so let’s walk-through those procedures.

In the new user email that was sent to the previous email address you specified, select the Accept invitation link.

In the New user sign up browser tab, specify a new password. Passwords must be:

• 8 – 64 characters long
• Composed of uppercase and lowercase letters, numbers, and non-alphanumeric characters.

    

After specifying a password, select Set new password. A short delay occurs while the user is provisioned. Then, the AWS console opens.

Along the top bar, next to the User name, select MFA devices to set up MFA.

On the Multi-factor authentication (MFA) devices page, select Register device.

On the Register MFA device page select the MFA device to use with the account. Options not supported by your browser or platform are dimmed and can’t be selected.

Follow the instructions for the device you selected to complete registration of the MFA device.

After your device is successfully registered, you can associate a friendly display name with your newly enrolled device.

From the access portal select the AWS account to manage. You are shown the permissions configured for your account with two connection options.

• Select Management console to open the AWS Management Console and manage your AWS resources using the service console dashboards.
• Select Command line or programmatic access to get credentials to access AWS resources programmatically or from the AWS CLI. 
  

For this tutorial, select Management console.