Module 2: Secure Your AWS Account
TUTORIAL
Configure Users
In this module, you will learn best practices for securing your AWS account
What you will accomplish
- Sign in as the root user
- Enable additional security for the root user
- Set up additional AWS IAM Identity Center (successor to AWS SSO) users
- Sign in to the AWS access portal
- Enable additional security for the identity center user
- Enable access to your AWS account from additional regions
Implementation
When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. The root user is a special entity that has full access to the account, and can perform all actions, including changing the payment methods or closing the account. Due to this level of permissions, we recommend that you:
- Enable additional security for the root user with multi-factor authentication
- Set up additional users to perform daily tasks related to your account
Time to complete
15 minutes
Module requirements
- An internet browser
- An AWS account
Sign in as the root user
The AWS account root user is accessed by signing in with the email address and password that you used to create the account.
Sign in to the AWS Management Console.
Select Root user and enter the email address you specified when you created your account and then choose Next.

You might be prompted to complete a security check. Type the characters in the image in the space provided and then choose Submit. You must complete this check to move to the next step.
Tip: Select the Sound button to hear a set of number and letter to type instead of the ones in the image. Select the Refresh button to change the image if you can’t discern the characters in the original image.

Enter your password and choose Sign in.
Congratulations, you have just signed in to the AWS Management Console as your root user. But you don’t want to use your root user for everyday tasks. The root user should only be used for specific account management tasks. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials. To help keep your root user credentials secure, we strongly recommend that you enable multi-factor authentication (MFA) for your root user sign-in. When you do that, in addition to providing the email address and password for the root user you will also provide credentials from another authenticator, making it much more difficult for someone to use your root user credentials without your permission.
Add more security to the root user sign-in
Let's start by adding more security for signing-in as the root user. To do that, we'll use the AWS Identity and Access Management (IAM) service. For more information, see What is IAM?.

Choose Add MFA. Then on the next screen, choose Activate MFA.

Now, you need to choose between the available MFA options:
- Virtual MFA device
- Security key
- Other hardware MFA device
For details about each of the options, see Multi-Factor Authentication.
If you're not sure which option to use, choose Virtual MFA device and install one of the apps available for your mobile phone. Take note of how the authenticator app you chose handles backups, because you might need to set up the app on a different phone at a later date.
Once you have selected the type of MFA device, choose Continue. The next screen provides the steps required to connect the device to your account. When everything is ready, choose Assign MFA.
Your root user credentials are now more secure. The next time you sign-in using the root user credentials you will provide the credentials from your MFA device as well as your email address and password.

Set up additional users
It is considered a security best practice to not use your root account for everyday tasks. We recommend that you create separate users for specific roles and functions. In this step, we will create an administrative user in IAM Identity Center. We are using IAM Identity Center because it provides users with unique credentials for every session, also known as temporary credentials. Providing users these credentials results in enhanced security for your AWS account because they are generated each time the user signs in.
Enable IAM Identity Center
Navigate to the IAM Identity Center (successor to AWS Single Sign-On) console. Then, under Enable IAM Identity Center, choose Enable.

AWS Organizations automatically sends a verification email to the address that is associated with your management account. There might be a delay before you receive the verification email. Make sure you verify your email address within 24 hours.
Configure your identity source
Navigate to the IAM Identity Center console, and choose Users. Then, select Add user.

- Username – The user name is used to sign in to the AWS access portal and can't be changed later. Choose a name that will be easy to remember.
- Password – Choose one of the following password generation methods:
- (Default) Send an email to this user with password setup instructions (Recommended) This option sends the user an email addressed from Amazon Web Services, with the subject line Invitation to join IAM Identity Center (successor to AWS Single Sign-On).
- The email will come from either no-reply@signin.aws or no-reply@login.awsapps.com. Add these email addresses to your approved senders list so that they are not treated as junk or spam.
- Generate a one-time password that you can share with this user This option provides you with the AWS access portal URL and password details that you can manually send to the user from your email address.
- (Default) Send an email to this user with password setup instructions (Recommended) This option sends the user an email addressed from Amazon Web Services, with the subject line Invitation to join IAM Identity Center (successor to AWS Single Sign-On).
- Email address – Enter a unique email address for the user. Then, enter it again to confirm it.
- First name – Enter the first name for the user.
- Last name – Enter the last name for the user
- Display name – Enter the name that will be displayed in the sign-in portal and users list.
- Complete the optional information if desired. It isn’t used during this tutorial and can be added later.
- Select Next.

Create group - optional
Create a group and add the user to the group. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.
Select Create group to open the Create group page.

Under Group details, in Group name, enter Admins.
Select Create group.

In the Groups tab, select the Refresh button. The new Admins group appears in the list.
Select the check box next to the Admins group, and choose Next.

On the Review and add user page confirm the following:
- Primary information appears as you intended
- Groups shows the user added to the group you created
In the Users in this group section, select Add user.
- A notification message appears informing you that the user was successfully added.
- Your new user exists but does not have access to any services or applications yet. Let’s set up an administrative permission set and assign it to the new user.

Create an administrative permission set
Permission sets define the level of access that IAM Identity Center users and groups have to an AWS account. We will still be using the root user credentials for this procedure.
Navigate to the IAM Identity Center console, under Multi-account permissions, choose Permission sets.

Choose Create permission set to start the permission set workflow.
- For Step 1: On the Select permission set type page, keep the default settings, and choose Next.
- The default settings grant full access to AWS services and resources using the AdministratorAccess predefined permission set.
- Note: The predefined AdministratorAccess permission set uses the AdministratorAccess AWS managed policy.
- For Step 2: On the Specify permission set details page, keep the default settings, and choose Next.
- The default setting limit creates a permission set named AdministratorAccess with session duration set to one hour.
- The default setting limit creates a permission set named AdministratorAccess with session duration set to one hour.
- For Step 3: On the Review and create page, perform the following reviews:
i. Review the permission set type and verify that it is AdministratorAccess.
ii. Review the AWS managed policy and confirm that it is AdministratorAccess. - Then, choose Create.
We skipped using relay state or tags for this permission set because the administrative user has full access to all services. However, you might decide to use them for other permission sets that you create later.
- Relay state lets users that sign in with specific roles go directly to the management console that is used for the role. For example, you can set the relay state to the Amazon EC2 console URL (https://console.aws.amazon.com/ec2/) to redirect the user to that console when they choose the Amazon EC2 administrator role.
- A tag is a custom attribute label that you add to an AWS resource to make it easier to identify, organize, and search for resources. Each tag has two parts, a tag key and tag value. Tags are useful to search for resources across services, or to add metadata like department.
Both relay states and tags are useful to help you organize your users and their workloads.



- For Step 1: On the Assign users and groups to AWS account-name page, choose the Groups tab, select the Admins group then select Next.
- For Step 2: On the Assign permission sets to AWS account-name page, under Permission sets, select the AdministratorAccess permission set, and then select Next.
- For Step 3: On the Review and submit assignments to AWS account-name page, review the selected user and permission set. After you confirm that the Admins group is assigned to the AdministratorAccess permission set, select Submit.
Important: The permission assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.



Sign in to the AWS access portal with your administrative credentials
Now you are ready to sign in using your new administrative user. If you tried to sign in previously you would have only been able to establish your password and enable up multi-factor authentication (MFA) for your user, because no other permissions had been granted to the user. Now, the user will have full permissions to your AWS resources, but they will still need to configure a password and set up MFA, so let’s walk-through those procedures.
In the new user email that was sent to the previous email address you specified, select the Accept invitation link.

In the New user sign up browser tab, specify a new password. Passwords must be:
- 8 – 64 characters long
- Composed of uppercase and lowercase letters, numbers, and non-alphanumeric characters.

After specifying a password, select Set new password. A short delay occurs while the user is provisioned. Then, the AWS console opens.
Along the top bar, next to the User name, select MFA devices to set up MFA.

On the Multi-factor authentication (MFA) devices page, select Register device.

On the Register MFA device page select the MFA device to use with the account. Options not supported by your browser or platform are dimmed and can’t be selected.

Follow the instructions for the device you selected to complete registration of the MFA device.
After your device is successfully registered, you can associate a friendly display name with your newly enrolled device.

From the access portal select the AWS account to manage. You are shown the permissions configured for your account with two connection options.
- Select Management console to open the AWS Management Console and manage your AWS resources using the service console dashboards.
- Select Command line or programmatic access to get credentials to access AWS resources programmatically or from the AWS CLI.
For this tutorial, select Management console.

Conclusion
Congratulations! You have now completed the sign-in process, created an administrative user in IAM Identity Center, added enhanced security for both your root user and your administrative user, and are ready to start working with AWS services and applications.