Module 2: Secure Your AWS Account
In this module, you will learn best practices for securing your AWS account
What you will accomplish
- Sign in as the root user
- Enable additional security for the root user
- Set up additional AWS IAM Identity Center (successor to AWS SSO) users
- Sign in to the AWS access portal
- Set up MFA for the Identity Center user
When you create an AWS account, a root user is created automatically for your account. The root user is a special entity that has full access to the account, and can perform all actions, including changing the payment methods or closing the account. When you sign-in using the root user you have complete access to all AWS service and resources in the account. Due to this level of permissions, we recommend that you:
- Enable additional security for the root user with multi-factor authentication
- Set up additional users to perform daily tasks related to your account
AWS has two identity services:
- AWS Identity and Access Management (IAM). This service provides access control policies and manages long-term users like the root user. If you create users in IAM, those users have long-term access credentials. As a security best practice, it is recommended that you minimize the use of long-term credentials in AWS. In this tutorial you will not create an IAM user.
- AWS IAM Identity Center (successor to AWS Single Sign-On). This service provides temporary credentials that are granted each time a user signs in for a session. It can integrate with any existing identity providers you might already have, like Microsoft Active Directory or Okta, so that your users can use the same sign on for AWS as they use for other services in your organization. If you don't have another identity provider, you can create users in IAM Identity Center. This is the recommended way to create additional users for your AWS account and is the method we will walk through in this tutorial.
Congratulations! You have now completed the sign-in process, created an administrative user in IAM Identity Center, added enhanced security for both your root user and your administrative user, and are ready to start working with AWS services and applications. Remember, when you sign in using your Identity Center administrative user, you will use the access portal URL you received in your invitation email.
Important: Each AWS Organization has a unique access portal URL. Make sure you keep a record of it with your user sign-in information.