Module 2: Secure Your AWS Account

TUTORIAL

Secure Your AWS Account

In this module, you will learn best practices for securing your AWS account

What you will accomplish

In this module, you will:
  • Learn how to secure the root user account
  • Set up additional AWS Identity and Access Management (IAM) users

Implementation

When setting up a new AWS account, you create a root user account. The root user is a special entity that has full access to the account, and can perform all actions, including changing the payment methods or closing the account. Due to this level of permissions, we recommend the following:

  • Secure the root user with multi-factor authentication
  • Set up additional users to perform daily tasks related to your account

 Time to complete

10 minutes

 Module requirements

  • An internet browser
  • An AWS account

Secure the root user

Let's start by securing the root user. To do that, we'll use the AWS IAM service. See What is IAM? for more context.

When you're ready to start, log in to your newly created AWS account using the credentials created in the previous module. Once your login is successful, you will be redirected to the AWS Management Console.

In the search bar, enter IAM, and then select IAM. You will be redirected to the IAM dashboard. Under Security recommendations, there will be a prompt to secure the root user with Multi-factor authentication (MFA). Choose Add MFA, then Activate MFA on the next screen.

IAM dashboard within the AWS Management Console, with option for adding MFA for the root user.

Now, you need to choose between the available MFA options:

  • Virtual MFA device
  • Security key
  • Other hardware MFA device

To see an overview of the options, see Multi-Factor Authentication

If you're not sure which option you should pick, choose Virtual MFA device and install one of the apps available for your mobile phone. Take note of how the authenticator app you chose handles backups, because you might need to set up the app on a different phone at a later date. 

Once you have selected the type of MFA device, choose Continue. The following screen provides the steps required to connect the device to your account. When everything is ready, choose Assign MFA. Your root user is now secure.

Dialog box for choosing MFA device for root user.

Set up additional users

It is considered a security best practice to not use your root account for day-to-day use. We recommend that you create separate users for specific roles and functions.

Again, we'll use the IAM service to create users and assign them permissions. IAM users are not separate accounts; they are users within your account. Each user can have their own password for access to the AWS Management Console. You can also create an individual access key for each user so that they can make programmatic requests to work with resources in your account.

Before setting up a new user, we'll create a user group. 

User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a user group called Admins and give that user group typical administrator permissions. Any user in that user group automatically has Admins group permissions. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to the Admins user group. If a person changes jobs in your organization, instead of editing that user's permissions, you can remove them from the old user groups and add them to the appropriate new user groups.

For this example, we are creating a group of users with administrator access.

In the IAM console, choose User groups in the left-side navigation and then choose Create group. Enter the User group name (in this case, administrators), then scroll down to the Attach permissions policies section. Search for "AdministratorAccess", then select the box next to the policy with the name "AdministratorAccess", scroll down, and choose Create group.

Create user group page within the IAM console.

Now we need to create users to add to our group.

In IAM, select Users in the left-side navigation bar and then choose Add users. Enter a User name and select an AWS access type for that user. Programmatic access creates an access key ID and secret pair for use with the AWS CLI, CDK, and other applications. AWS Management Console access allows the user to log in to the AWS console for this account. 

For the purposes of this tutorial, select both options. Then, choose Next: Permissions.

Add user page within the IAM console.

In the following screen, add the user to the administrators group we just created and choose Next: Tags.

Add user page within the IAM console, with options for setting permissions and adding a user to a group.

Tags are useful to search for resources across services, or to add metadata like department. For our use case, choose Next: Review without adding a tag. 

You can now review the values set for the user you are creating before actually creating it. 

You will notice there is an additional managed policy called "IAMUserChangePassword" added beneath the "administrators" one we created. This is added to any user where the option to force them to change their password was selected as not all IAM policies may have the required permissions in them.

Page within IAM console for reviewing user details, permissions summary, and tags.

Choose Create user to create the user. You will see the confirmation screen for the user, but do not choose the Close button yet. 

The auto-generated password and the secret access key for API access can only be accessed from this screen once. Write down the Access key ID, Secret access key, and Password; we will use them in the next module of this tutorial. You can also choose Download .csv to get a copy of the information. Afterwards, choose Close.

For additional information, see IAM users.

Success notification on add user page within IAM console, followed by user credentials.

Set account alias and enable regions

While still in IAM, we'll complete a few more steps to make your account easier to manage.

First, let's set an alias for your account, which should be easier to remember than the 12-digit account ID. 

To set it, select Dashboard in the left navigation bar, then choose Create under the AWS Account section in the right panel. You can now set an alias for your account. This alias needs to be globally unique across all AWS accounts, so your first choice may not be available.

Dashboard within IAM console, with an option to create an alias for the AWS account.

Once you set the alias, choose Save changes. Then, copy the URL generated for later use in this tutorial. It will have the format of https://<your-text>.signin.aws.amazon.com/console.

Dialog box within IAM console for creating and saving alias for AWS account.

The last step that needs to be completed is to enable any Regions that you may need to use. This only applies to Regions launched after March 20, 2019. Currently, this includes:

  • Africa (Cape Town)
  • Asia Pacific (Hong Kong)
  • Asia Pacific (Jakarta)
  • Europe (Milan)
  • Middle East (Bahrain)
 
Follow the instructions here if you need to enable any of these Regions.

Conclusion

Congratulations! You have learned how to secure your account. Please remember to log out and log back in with the new user credentials that you created above.

Was this page helpful?

Set Up AWS CLI