Module 2: Secure Your AWS Account

TUTORIAL

Configure Users

In this module, you will learn best practices for securing your AWS account

What you will accomplish

In this module, you will learn how to:
  • Sign in as the root user
  • Enable additional security for the root user
  • Set up additional AWS IAM Identity Center (successor to AWS SSO) users
  • Sign in to the AWS access portal
  • Enable additional security for the identity center user
  • Enable access to your AWS account from additional regions

Implementation

When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. The root user is a special entity that has full access to the account, and can perform all actions, including changing the payment methods or closing the account. Due to this level of permissions, we recommend that you:

  • Enable additional security for the root user with multi-factor authentication
  • Set up additional users to perform daily tasks related to your account

 Time to complete

15 minutes

 Module requirements

  • An internet browser
  • An AWS account

Sign in as the root user

The AWS account root user is accessed by signing in with the email address and password that you used to create the account.

Sign in to the AWS Management Console.

Select Root user and enter the email address you specified when you created your account and then choose Next.

IAM dashboard within the AWS Management Console, with option for adding MFA for the root user.

You might be prompted to complete a security check. Type the characters in the image in the space provided and then choose Submit. You must complete this check to move to the next step.

Tip: Select the Sound button to hear a set of number and letter to type instead of the ones in the image. Select the Refresh button to change the image if you can’t discern the characters in the original image.

Dialog box for choosing MFA device for root user.

Enter your password and choose Sign in.

Dialog box for choosing MFA device for root user.

Congratulations, you have just signed in to the AWS Management Console as your root user. But you don’t want to use your root user for everyday tasks. The root user should only be used for specific account management tasks. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials. To help keep your root user credentials secure, we strongly recommend that you enable multi-factor authentication (MFA) for your root user sign-in. When you do that, in addition to providing the email address and password for the root user you will also provide credentials from another authenticator, making it much more difficult for someone to use your root user credentials without your permission.

Add more security to the root user sign-in

Let's start by adding more security for signing-in as the root user. To do that, we'll use the AWS Identity and Access Management (IAM) service. For more information, see What is IAM?.

When you're ready to start, sign in to your newly created AWS account using the root user credentials as explained in the previous step.

After signing-in, the AWS Management Console opens. In the search bar, enter IAM, and then select IAM. The IAM dashboard opens.

IAM dashboard within the AWS Management Console, with option for adding MFA for the root user.
Under Security recommendations, there is a notice to Add MFA for root user.
Choose Add MFA. Then on the next screen, choose Activate MFA.

IAM dashboard within the AWS Management Console, with option for adding MFA for the root user.

Now, you need to choose between the available MFA options:

  • Virtual MFA device
  • Security key
  • Other hardware MFA device

For details about each of the options, see Multi-Factor Authentication

If you're not sure which option to use, choose Virtual MFA device and install one of the apps available for your mobile phone. Take note of how the authenticator app you chose handles backups, because you might need to set up the app on a different phone at a later date. 

Once you have selected the type of MFA device, choose Continue. The next screen provides the steps required to connect the device to your account. When everything is ready, choose Assign MFA.

Your root user credentials are now more secure. The next time you sign-in using the root user credentials you will provide the credentials from your MFA device as well as your email address and password.

Dialog box for choosing MFA device for root user.

Set up additional users

It is considered a security best practice to not use your root account for everyday tasks. We recommend that you create separate users for specific roles and functions. In this step, we will create an administrative user in IAM Identity Center. We are using IAM Identity Center because it provides users with unique credentials for every session, also known as temporary credentials. Providing users these credentials results in enhanced security for your AWS account because they are generated each time the user signs in.

Enable IAM Identity Center

Navigate to the IAM Identity Center (successor to AWS Single Sign-On) console. Then, under Enable IAM Identity Center, choose Enable.

Create user group page within the IAM console.
IAM Identity Center requires AWS Organizations. Choose Create AWS organization to complete this process.
 
AWS Organizations is a feature of your AWS account offered at no additional charge.
AWS Organizations automatically sends a verification email to the address that is associated with your management account. There might be a delay before you receive the verification email. Make sure you verify your email address within 24 hours.
Add user page within the IAM console.
Configure your identity source

Navigate to the IAM Identity Center console, and choose Users. Then, select Add user.

Create user group page within the IAM console.
On the Specify details page, specify the following:
  • Username – The user name is used to sign in to the AWS access portal and can't be changed later. Choose a name that will be easy to remember.
  • Password – Choose one of the following password generation methods:
    • (Default) Send an email to this user with password setup instructions (Recommended) This option sends the user an email addressed from Amazon Web Services, with the subject line Invitation to join IAM Identity Center (successor to AWS Single Sign-On). 
      • The email will come from either no-reply@signin.aws or no-reply@login.awsapps.com. Add these email addresses to your approved senders list so that they are not treated as junk or spam.
    • Generate a one-time password that you can share with this user This option provides you with the AWS access portal URL and password details that you can manually send to the user from your email address.
For this tutorial, use the default method so that you can go through the experience of receiving the email from AWS.
 
Complete the primary information in the user details:
  • Email address – Enter a unique email address for the user. Then, enter it again to confirm it.
  • First name – Enter the first name for the user.
  • Last name – Enter the last name for the user
  • Display name – Enter the name that will be displayed in the sign-in portal and users list.
  • Complete the optional information if desired. It isn’t used during this tutorial and can be added later.
  • Select Next.
Create user group page within the IAM console.
Create group - optional

Create a group and add the user to the group. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Select Create group to open the Create group page.

Create user group page within the IAM console.

Under Group details, in Group name, enter Admins.

Select Create group.

Create user group page within the IAM console.

In the Groups tab, select the Refresh button. The new Admins group appears in the list.

Select the check box next to the Admins group, and choose Next.

Create user group page within the IAM console.

On the Review and add user page confirm the following:

  • Primary information appears as you intended
  • Groups shows the user added to the group you created

In the Users in this group section, select Add user.

  • A notification message appears informing you that the user was successfully added.
    • Your new user exists but does not have access to any services or applications yet. Let’s set up an administrative permission set and assign it to the new user. 
Create user group page within the IAM console.
Create an administrative permission set

Permission sets define the level of access that IAM Identity Center users and groups have to an AWS account. We will still be using the root user credentials for this procedure.

Navigate to the IAM Identity Center console, under Multi-account permissions, choose Permission sets.

Create user group page within the IAM console.

Choose Create permission set to start the permission set workflow.

  • For Step 1: On the Select permission set type page, keep the default settings, and choose Next.
    • The default settings grant full access to AWS services and resources using the AdministratorAccess predefined permission set.
    • Note: The predefined AdministratorAccess permission set uses the AdministratorAccess AWS managed policy.
  • For Step 2: On the Specify permission set details page, keep the default settings, and choose Next.
    • The default setting limit creates a permission set named AdministratorAccess with session duration set to one hour.
  • For Step 3: On the Review and create page, perform the following reviews:
    i. Review the permission set type and verify that it is AdministratorAccess.
    ii. Review the AWS managed policy and confirm that it is AdministratorAccess.
  • Then, choose Create.

We skipped using relay state or tags for this permission set because the administrative user has full access to all services. However, you might decide to use them for other permission sets that you create later.

  • Relay state lets users that sign in with specific roles go directly to the management console that is used for the role. For example, you can set the relay state to the Amazon EC2 console URL (https://console.aws.amazon.com/ec2/) to redirect the user to that console when they choose the Amazon EC2 administrator role. 
  • A tag is a custom attribute label that you add to an AWS resource to make it easier to identify, organize, and search for resources. Each tag has two parts, a tag key and tag value. Tags are useful to search for resources across services, or to add metadata like department.

Both relay states and tags are useful to help you organize your users and their workloads. 

Create user group page within the IAM console.
Now that we have a user, a group, and a permission set, we need to put them together by assigning the permission set to the group. We will still be using the root user credentials for this step.
 
Navigate to the IAM Identity Center console, under Multi-account permissions, choose AWS accounts.
 
On the AWS accounts page, a tree view list of your organization appears. Select the checkbox next to your AWS account then, select Assign users or groups.
  • For Step 1: On the Assign users and groups to AWS account-name page, choose the Groups tab, select the Admins group then select Next.
  • For Step 2: On the Assign permission sets to AWS account-name page, under Permission sets, select the AdministratorAccess permission set, and then select Next.
  • For Step 3: On the Review and submit assignments to AWS account-name page, review the selected user and permission set. After you confirm that the Admins group is assigned to the AdministratorAccess permission set, select Submit.

Important: The permission assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.

Sign in to the AWS access portal with your administrative credentials

Now you are ready to sign in using your new administrative user. If you tried to sign in previously you would have only been able to establish your password and enable up multi-factor authentication (MFA) for your user, because no other permissions had been granted to the user. Now, the user will have full permissions to your AWS resources, but they will still need to configure a password and set up MFA, so let’s walk-through those procedures.

In the new user email that was sent to the previous email address you specified, select the Accept invitation link.

Create user group page within the IAM console.

In the New user sign up browser tab, specify a new password. Passwords must be:

  • 8 – 64 characters long
  • Composed of uppercase and lowercase letters, numbers, and non-alphanumeric characters.

    

Create user group page within the IAM console.

After specifying a password, select Set new password. A short delay occurs while the user is provisioned. Then, the AWS console opens.

Along the top bar, next to the User name, select MFA devices to set up MFA.

Create user group page within the IAM console.

On the Multi-factor authentication (MFA) devices page, select Register device.

Create user group page within the IAM console.

On the Register MFA device page select the MFA device to use with the account. Options not supported by your browser or platform are dimmed and can’t be selected.

Create user group page within the IAM console.

Follow the instructions for the device you selected to complete registration of the MFA device.

After your device is successfully registered, you can associate a friendly display name with your newly enrolled device.

Create user group page within the IAM console.

From the access portal select the AWS account to manage. You are shown the permissions configured for your account with two connection options.

  • Select Management console to open the AWS Management Console and manage your AWS resources using the service console dashboards.
  • Select Command line or programmatic access to get credentials to access AWS resources programmatically or from the AWS CLI. 

For this tutorial, select Management console.

Create user group page within the IAM console.

Conclusion

Congratulations! You have now completed the sign-in process, created an administrative user in IAM Identity Center, added enhanced security for both your root user and your administrative user, and are ready to start working with AWS services and applications.  

Was this page helpful?

Set Up AWS CLI