Module 2: Secure Your AWS Account

TUTORIAL

Configure Users

In this module, you will learn best practices for securing your AWS account

What you will accomplish

In this module, you will learn how to:
  • Sign in as the root user
  • Enable additional security for the root user
  • Set up additional AWS IAM Identity Center (successor to AWS SSO) users
  • Sign in to the AWS access portal
  • Set up MFA for the Identity Center user

Implementation

When you create an AWS account, a root user is created automatically for your account. The root user is a special entity that has full access to the account, and can perform all actions, including changing the payment methods or closing the account. When you sign-in using the root user you have complete access to all AWS service and resources in the account. Due to this level of permissions, we recommend that you:

  • Enable additional security for the root user with multi-factor authentication
  • Set up additional users to perform daily tasks related to your account

AWS has two identity services:

  • AWS Identity and Access Management (IAM). This service provides access control policies and manages long-term users like the root user. If you create users in IAM, those users have long-term access credentials. As a security best practice, it is recommended that you minimize the use of long-term credentials in AWS. In this tutorial you will not create an IAM user.
  • AWS IAM Identity Center (successor to AWS Single Sign-On). This service provides temporary credentials that are granted each time a user signs in for a session. It can integrate with any existing identity providers you might already have, like Microsoft Active Directory or Okta, so that your users can use the same sign on for AWS as they use for other services in your organization. If you don't have another identity provider, you can create users in IAM Identity Center. This is the recommended way to create additional users for your AWS account and is the method we will walk through in this tutorial.

 Time to complete

15 minutes

 Module requirements

  • An internet browser
  • An AWS account

Sign in as the root user

The AWS account root user is accessed by signing in with the email address and password that you used to create the account.

1. Sign in to the AWS Management Console.

2. Select Root user and enter the email address you specified when you created your account and then choose Next.

IAM dashboard within the AWS Management Console, with option for adding MFA for the root user.

3. You might be prompted to complete a security check. Type the characters from the image in the space provided and then choose Submit. You must complete this check to move to the next step.

Tip: Select the Sound button to hear a set of numbers and letters to type. Select the Refresh button to change the image if you can’t discern the characters in the original image.

Dialog box for choosing MFA device for root user.

4. On the sign-in page, enter your password and choose Sign in.

Dialog box for choosing MFA device for root user.

Congratulations, you have just signed in to the AWS Management Console as your root user. But you don’t want to use your root user for everyday tasks. The root user should only be used for specific account management tasks, two of which we are going to do in the next part of this tutorial. 

  • Enable MFA for the root user
  • Create an administrative user in IAM Identity Center

For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials.

Add more security to the root user sign-in

To help keep your root user credentials secure, we strongly recommend that you enable multi-factor authentication (MFA) for your root user sign-in. When you enable MFA, in addition to providing the email address and password for the root user you will also provide credentials from another authenticator, making it much more difficult for someone to use your root user credentials without your permission.

Let's add more security to the root user sign-in. To do this, we'll use the AWS Identity and Access Management (IAM) service. For more information, see What is IAM?.

1. Sign in to your newly created AWS account using the root user credentials.

2. In the AWS Management Console search bar, enter IAM, and then select IAM

IAM dashboard within the AWS Management Console, with option for adding MFA for the root user.

3. Under Security recommendations, there is a notice to Add MFA for root user.
4. Choose Add MFA

IAM dashboard within the AWS Management Console, with option for adding MFA for the root user.

5. The My security credentials (root user) page opens. There is an alert stating You don't have MFA assigned. Choose Assign MFA.

6. The Select MFA device page opens. In Specify MFA device name, enter a name for your MFA device. We recommend using a name that helps you remember which device and user this credential is assigned to.

7. In this tutorial, we will use an authenticator app on a mobile device. Enter the device name phone-root.

8. In Select MFA device, select the Authenticator app option then select Next.

Tip: If you don't have access to a mobile device or a hardware device you cannot enable MFA. Find out how to get a free MFA security key from AWS.

The Set up device page opens. This page has three steps to complete.

9. Set up the authenticator app on your mobile device. Several different authenticator apps are supported for both Android and iOS devices. See the Virtual authenticator apps section on the Multi-Factor Authentication (MFA) for IAM page for a list of supported apps and links to their download locations.

10. Open the authenticator app on your mobile device.

11. Select the Show QR code link to show a unique QR code for your account. If you can't scan the QR code, select the Show secret key link to display a text key that you can enter into the Authenticator app to identify your account.

12. Either scan the QR code with your authenticator app or enter the code in your authenticator app to link your authenticator device to your account.

13. After your authenticator has established the link to your account, it will start generating secret codes that are good for a limited number of seconds. In MFA code 1, type the code you see in the app. Wait for that code to change to the next code, then type that code in MFA code 2, then select Add MFA before the second code has expired.

You are returned to the My security credentials (root user) page. A notification message is displayed at the top that states the MFA device is assigned.

Your root user credentials are now more secure. 

14. Sign out of the console. The next time you sign in using the root user credentials, you will provide the credentials from your MFA device as well as your email address and password.

 

Dialog box for choosing MFA device for root user.

Set up users in IAM Identity Center

It is considered a security best practice to not use your root account for everyday tasks, but right now you only have a root user. In this tutorial, we will use IAM Identity Center to create an administrative user. We are using IAM Identity Center because it provides users with unique credentials for every session, also known as temporary credentials. Providing users these credentials results in enhanced security for your AWS account, because they are generated each time the user signs in. Once you have an administrative user, you can sign in with that user to create additional Identity Center users and assign them to groups with permissions to perform specific job functions. Another benefit to creating users in IAM Identity Center is that the users are automatically granted access to the the AWS Billing and Cost Management console.

For more information about billing, see the AWS Billing user guide. 

This section of the tutorial has the following steps: 

  • Enable IAM Identity Center
    • Add users
    • Add users to groups
  • Configure your identity source
  • Create an administrative permission set
  • Sign in to the AWS access portal with your administrative credentials       
Enable IAM Identity Center

1. Sign in to your AWS account using the root user credentials.

2. In the AWS Management Console search bar, enter IAM Identity Center, and then select IAM Identity Center.

Create user group page within the IAM console.

3. The IAM Identity Center service overview page opens. Review the information to learn about the features of the IAM Identity Center service, then under Enable IAM Identity Center, choose Enable.

When you enable IAM Identity Center you also need to enable AWS Organizations. AWS Organizations lets you organize multiple AWS accounts so that you can have separate AWS accounts for different use cases. AWS Organizations is a feature of your AWS account offered at no additional charge.
 
4. Choose Create AWS organization to continue.
 
The root user is now the management account for the AWS Organization.
 
At this point, AWS Organizations sends a verification email to the root user. Verifying your root user account allows you to invite other accounts to become members of your organization, so you don't need to verify your account before continuing with this tutorial. For more information about account management, see the  AWS Organizations user guide. 
 
Note: The verification link is only valid for 24 hours, so if you wait longer than that to verify the email address, you will need to resend the verification email. For more information about how to do this, see  Email address verification
Add user page within the IAM console.
Configure your identity source

Your identity source is where your users and groups are managed. After you configure your identity source, you can look up users or groups to grant them single sign-on access to AWS accounts, cloud applications, or both.

You can have only one identity source per organization. You can use either:

  • Identity Center directory – When you enable IAM Identity Center for the first time, it is automatically configured with an Identity Center directory as your default identity source where you will manage your users and groups.
  • Active Directory – Users and groups are managed in either your AWS Managed Microsoft AD directory using AWS Directory Service or your self-managed directory in Active Directory (AD).
  • External identity provider – Users and groups are managed in an external identity provider (IdP) such as Okta or Azure Active Directory.

In this tutorial, we are going to be using the Identity Center directory.

1. Navigate to the IAM Identity Center console, and choose Users. Then, select Add user.

Create user group page within the IAM console.
2. On the Specify user details page, complete the following information:
  • Username – The user name is used to sign in to the AWS access portal and can't be changed later. Choose a name that will be easy to remember. For this tutorial, we will be adding the user John.
  • Password – Choose Send an email to this user with password setup instructions (Recommended). This option sends the user an email addressed from Amazon Web Services, with the subject line Invitation to join IAM Identity Center (successor to AWS Single Sign-On). The email will come from either no-reply@signin.aws or no-reply@login.awsapps.com. Add these email addresses to your approved senders list so that they are not treated as junk or spam.

3. In Primary information section, complete the required user details:  

  • Email address – Enter an email address for the user where you can receive the email. Then, enter it again to confirm it. Each user must have a unique email address.

Tip: During testing, you might be able to use email subaddressing to create valid email addresses for multiple fictitious users. If your email provider supports it, you can create a new email address by appending the plus sign (+) and then numbers or characters to your current email address, such as someone@example.com, someone+1@example.com, and someone+test@example.com. All of those email addresses would result in an email being received at the same email address. 

  • First name – Enter the first name for the user.
  • Last name – Enter the last name for the user.
  • Display name – This is automatically filled in with the first and last name of the user. If you want to change the display name, you can enter something different. The display name is visible in the sign-in portal and users list. 
  • Complete the optional information if desired. It isn’t used during this tutorial and can be added later.

4. Select Next.

Create user group page within the IAM console.
Add user to groups - optional

User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

1. Select Create group.

Create user group page within the IAM console.

2. A new browser tab opens to display the Create group page.

3. Under Group details, in Group name, enter Admins.

4. Select Create group.

Create user group page within the IAM console.

The Groups page is displayed, showing your new Admins group.

5. Exit out or navigate away from the Groups browser tab and return to the Add user browser tab.

Create user group page within the IAM console.

6. In the Groups area, select the Refresh button. 

The new Admins group appears in the list. 

7. Select the check box next to the Admins group, and then choose Next.

8. On the Review and add user page confirm the following:

  • Primary information appears as you intended
  • Groups shows the user added to the group you created

If you need to make changes, choose Edit to make the updates.

9. Once everything is correct, select Add user.

Create user group page within the IAM console.

You are returned to the main IAM Identity Center > Users page. 

A notification message informs you that the user was successfully added.

Congratulations, you now have a user in your AWS Organization. You can repeat these steps to add additional users and groups.

Manage access to your AWS account

Your new user exists but does not have access to any resources, services, or applications, so the user can't replace your root user for daily administrative tasks yet. Let’s give your new user access to your AWS account. Since we put the user into a group, we will assign the group to an account and then we will add a permission set that defines what the members of the group can access.

We will still be using the root user credentials for this procedure.

Sign in to your AWS account using the root user credentials.

Create user group page within the IAM console.

Navigate to the IAM Identity Center console, under Recommended setup steps, choose Manage access to multiple AWS accounts.

On the AWS accounts page under Organizational structure, your root is displayed with the test account underneath it in the hierarchy. Select the check box for your test account, then select Assign users or groups.

The Assign users and groups workflow displays. It consists of the following steps: 

For Step 1: Select users and groups select the Admins group you created previously in this tutorial. Then choose Next.

Create user group page within the IAM console.

For Step 2: Select permission sets, select Create permission set to open a new tab that steps you through the three sub-steps involved in creating the permission set.

Create user group page within the IAM console.

A new browser tab opens displaying Step 1: Select permission set type. Make the following selections:

  1. For Permissions set type, select Predefined permission set
  2. For Policy for predefined permission set, select AdministratorAccess
  3. Then choose Next to continue.

For Step 2: Specify permission set details, keep the default settings, and choose Next. The default settings create a permission set named AdministratorAccess with session duration set to one hour. 

For Step 3: Review and create, verify that the Permission set type uses the AWS managed policy AdministratorAccess. Choose Create.

You are returned to the Permission sets page. A notification appears at the top of the page informing you that the permission set was successfully created. Select X to close the tab.

On the Assign users and groups browser tab, for Step 2: Select permission sets, in the Permission sets section, select Refresh. The AdministratorAccess permission set you created appears in the list. Select the checkbox for that permission set and then choose Next

For Step 3: Review and submit, review the selected users and groups and permission set, then choose Submit.

The page updates with a message that your AWS account is being configured. Wait until the process completes.

You are returned to the AWS accounts page in IAM Identity Center. A notification message informs you that your AWS account has been reprovisioned and the updated permission set applied. 

You can see in the Organization structure section that your AWS account is now the management account under the root of the AWS organization. In this tutorial, we are using a placeholder AWS account name Test-acct. You will see the name of your AWS account instead.  

Congratulations, your user can now sign in to your AWS access portal and access resources in your AWS account. 

Sign in to the AWS access portal with your administrative credentials

Now you are ready to sign in using your new administrative user. If you tried to sign in previously you would have only been able to establish your password and enable up multi-factor authentication (MFA) for your user, because no other permissions had been granted to the user. Now, the user will have full permissions to your AWS resources, but they will still need to configure a password and set up MFA, so let’s walk-through those procedures.

A new user email was sent to the email address you specified when you created the user. The email contains three important items:

  1. A link to accept the invitation to join
  2. The URL of your AWS access portal
  3. Your username that you will use to sign in

Open the email and record the URL of the AWS access portal and the username for future use. Then select the Accept invitation link. 

Tip: If you don't see the Invitation to join IAM Identity Center email in your inbox folder, check your spam, junk, and deleted items (or trash) folders. All emails sent by the IAM Identity Center service will come from either the address no-reply@signin.aws or no-reply@login.awsapps.com. If you can’t find the email, sign in as the root user and reset the Identity Center user’s password. For instructions, see Reset an IAM Identity Center user password. If you still don’t receive the email, reset the password again and choose the option to Generate a one-time password that you can share with the user instead.

Create user group page within the IAM console.

The link opens a browser window and displays the New user sign up page.

In the New user sign up page, specify a new password.

Passwords must be:

  • 8 – 64 characters long
  • Composed of uppercase and lowercase letters, numbers, and non-alphanumeric characters.

After confirming the password, select Set new password.

A short delay occurs while the user is provisioned. 

    

Create user group page within the IAM console.

The AWS console opens.

Along the top bar, next to the User name, select MFA devices to set up MFA.

Create user group page within the IAM console.

The Multi-factor authentication (MFA) devices page opens. Choose Register device.

Create user group page within the IAM console.

On the Register MFA device page, select the MFA device to use with the account. Options not supported by your browser or platform are dimmed and can’t be selected.

We will walk through the screens for the Authenticator app option. This is similar to the process you followed when you set up the MFA device for your root user in the first part of the tutorial. The difference is that this MFA device is being registered with IAM Identity Center instead of IAM. If you select a different MFA device, follow the instructions for the device you selected. 

Create user group page within the IAM console.

Select the Show QR code link to show a unique QR code for your AWS organization. If you can't scan the QR code, choose the Show secret key link to display a text key that you can enter into the Authenticator app to identify your organization. Either scan the QR code with your authenticator app or enter the code in your authenticator app to link your authenticator device to your organization. 

Once your authenticator has established the link to your organization, it will start generating secret codes that are good for a limited number of seconds. In Authenticator code, type the code you see in the app, then choose Assign MFA

Note: When registering an MFA device with IAM identity Center, only one authenticator code is required for registration.

Your device is successfully registered, select Done

Create user group page within the IAM console.

You can register another device, rename or delete your existing MFA device or from the MFA devices page. 

Select AWS access portal in the navigation bar to return to the main portal and access an AWS account.

From the access portal select the AWS account to manage. You are shown the permissions configured for your account with two connection options.

  • Select Management console to open the AWS Management Console and manage your AWS resources using the service console dashboards.
  • Select Command line or programmatic access to get credentials to access AWS resources programmatically or from the AWS CLI. To learn more about getting these credentials, see Getting IAM Identity Center user credentials for the AWS CLI or AWS SDKs

For this tutorial, select Management console.

The AWS management console opens. As a user with administrative access you can add services, add additional users, and configure policies and permissions. You no longer need to use your root user to accomplish these tasks. 

Create user group page within the IAM console.

Conclusion

Congratulations! You have now completed the sign-in process, created an administrative user in IAM Identity Center, added enhanced security for both your root user and your administrative user, and are ready to start working with AWS services and applications.  Remember, when you sign in using your Identity Center administrative user, you will use the access portal URL you received in your invitation email.

Important: Each AWS Organization has a unique access portal URL. Make sure you keep a record of it with your user sign-in information. 

Was this page helpful?

Set Up AWS CLI