Module 2: Secure Your AWS Account
TUTORIAL
Secure Your AWS Account
In this module, you will learn best practices for securing your AWS account
What you will accomplish
- Learn how to secure the root user account
- Set up additional AWS Identity and Access Management (IAM) users
Implementation
When setting up a new AWS account, you create a root user account. The root user is a special entity that has full access to the account, and can perform all actions, including changing the payment methods or closing the account. Due to this level of permissions, we recommend the following:
- Secure the root user with multi-factor authentication
- Set up additional users to perform daily tasks related to your account
Time to complete
10 minutes
Module requirements
- An internet browser
- An AWS account
Secure the root user
Let's start by securing the root user. To do that, we'll use the AWS IAM service. See What is IAM? for more context.
When you're ready to start, log in to your newly created AWS account using the credentials created in the previous module. Once your login is successful, you will be redirected to the AWS Management Console.
In the search bar, enter IAM, and then select IAM. You will be redirected to the IAM dashboard. Under Security recommendations, there will be a prompt to secure the root user with Multi-factor authentication (MFA). Choose Add MFA, then Activate MFA on the next screen.

Now, you need to choose between the available MFA options:
- Virtual MFA device
- Security key
- Other hardware MFA device
To see an overview of the options, see Multi-Factor Authentication.
If you're not sure which option you should pick, choose Virtual MFA device and install one of the apps available for your mobile phone. Take note of how the authenticator app you chose handles backups, because you might need to set up the app on a different phone at a later date.
Once you have selected the type of MFA device, choose Continue. The following screen provides the steps required to connect the device to your account. When everything is ready, choose Assign MFA. Your root user is now secure.

Set up additional users
It is considered a security best practice to not use your root account for day-to-day use. We recommend that you create separate users for specific roles and functions.
Again, we'll use the IAM service to create users and assign them permissions. IAM users are not separate accounts; they are users within your account. Each user can have their own password for access to the AWS Management Console. You can also create an individual access key for each user so that they can make programmatic requests to work with resources in your account.
Before setting up a new user, we'll create a user group.
User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a user group called Admins and give that user group typical administrator permissions. Any user in that user group automatically has Admins group permissions. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to the Admins user group. If a person changes jobs in your organization, instead of editing that user's permissions, you can remove them from the old user groups and add them to the appropriate new user groups.
For this example, we are creating a group of users with administrator access.
In the IAM console, choose User groups in the left-side navigation and then choose Create group. Enter the User group name (in this case, administrators), then scroll down to the Attach permissions policies section. Search for "AdministratorAccess", then select the box next to the policy with the name "AdministratorAccess", scroll down, and choose Create group.

Now we need to create users to add to our group.
In IAM, select Users in the left-side navigation bar and then choose Add users. Enter a User name and select an AWS access type for that user. Programmatic access creates an access key ID and secret pair for use with the AWS CLI, CDK, and other applications. AWS Management Console access allows the user to log in to the AWS console for this account.
For the purposes of this tutorial, select both options. Then, choose Next: Permissions.

In the following screen, add the user to the administrators group we just created and choose Next: Tags.

Tags are useful to search for resources across services, or to add metadata like department. For our use case, choose Next: Review without adding a tag.
You can now review the values set for the user you are creating before actually creating it.
You will notice there is an additional managed policy called "IAMUserChangePassword" added beneath the "administrators" one we created. This is added to any user where the option to force them to change their password was selected as not all IAM policies may have the required permissions in them.

Choose Create user to create the user. You will see the confirmation screen for the user, but do not choose the Close button yet.
The auto-generated password and the secret access key for API access can only be accessed from this screen once. Write down the Access key ID, Secret access key, and Password; we will use them in the next module of this tutorial. You can also choose Download .csv to get a copy of the information. Afterwards, choose Close.
For additional information, see IAM users.

Set account alias and enable regions
While still in IAM, we'll complete a few more steps to make your account easier to manage.
First, let's set an alias for your account, which should be easier to remember than the 12-digit account ID.
To set it, select Dashboard in the left navigation bar, then choose Create under the AWS Account section in the right panel. You can now set an alias for your account. This alias needs to be globally unique across all AWS accounts, so your first choice may not be available.

Once you set the alias, choose Save changes. Then, copy the URL generated for later use in this tutorial. It will have the format of https://<your-text>.signin.aws.amazon.com/console.

The last step that needs to be completed is to enable any Regions that you may need to use. This only applies to Regions launched after March 20, 2019. Currently, this includes:
- Africa (Cape Town)
- Asia Pacific (Hong Kong)
- Asia Pacific (Jakarta)
- Europe (Milan)
- Middle East (Bahrain)
Conclusion
Congratulations! You have learned how to secure your account. Please remember to log out and log back in with the new user credentials that you created above.