Module 2: Secure Your AWS Account

1. Sign in to the AWS Management Console.

2. Select Root user and enter the email address you specified when you created your account and then choose Next.

3. You might be prompted to complete a security check. Type the characters from the image in the space provided and then choose Submit. You must complete this check to move to the next step.

Tip: Select the Sound button to hear a set of numbers and letters to type. Select the Refresh button to change the image if you can’t discern the characters in the original image.

4. On the sign-in page, enter your password and choose Sign in.

Congratulations, you have just signed in to the AWS Management Console as your root user. But you don’t want to use your root user for everyday tasks. The root user should only be used for specific account management tasks, two of which we are going to do in the next part of this tutorial. 

• Enable MFA for the root user
• Create an administrative user in IAM Identity Center

For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials.

1. Sign in to your newly created AWS account using the root user credentials.

3. Under Security recommendations, there is a notice to Add MFA for root user.
4. Choose Add MFA. 

The Set up device page opens. This page has three steps to complete.

9. Set up the authenticator app on your mobile device. Several different authenticator apps are supported for both Android and iOS devices. See the Virtual authenticator apps section on the Multi-Factor Authentication (MFA) for IAM page for a list of supported apps and links to their download locations.

10. Open the authenticator app on your mobile device.

11. Select the Show QR code link to show a unique QR code for your account. If you can't scan the QR code, select the Show secret key link to display a text key that you can enter into the Authenticator app to identify your account.

12. Either scan the QR code with your authenticator app or enter the code in your authenticator app to link your authenticator device to your account.

13. After your authenticator has established the link to your account, it will start generating secret codes that are good for a limited number of seconds. In MFA code 1, type the code you see in the app. Wait for that code to change to the next code, then type that code in MFA code 2, then select Add MFA before the second code has expired.

You are returned to the My security credentials (root user) page. A notification message is displayed at the top that states the MFA device is assigned.

Your root user credentials are now more secure. 

14. Sign out of the console. The next time you sign in using the root user credentials, you will provide the credentials from your MFA device as well as your email address and password.

1. Sign in to your AWS account using the root user credentials.

Your identity source is where your users and groups are managed. After you configure your identity source, you can look up users or groups to grant them single sign-on access to AWS accounts, cloud applications, or both.

You can have only one identity source per organization. You can use either:

• Identity Center directory – When you enable IAM Identity Center for the first time, it is automatically configured with an Identity Center directory as your default identity source where you will manage your users and groups.
• Active Directory – Users and groups are managed in either your AWS Managed Microsoft AD directory using AWS Directory Service or your self-managed directory in Active Directory (AD).
• External identity provider – Users and groups are managed in an external identity provider (IdP) such as Okta or Azure Active Directory.

In this tutorial, we are going to be using the Identity Center directory.

1. Navigate to the IAM Identity Center console, and choose Users. Then, select Add user.

• Username – The user name is used to sign in to the AWS access portal and can't be changed later. Choose a name that will be easy to remember. For this tutorial, we will be adding the user John.
• Password – Choose Send an email to this user with password setup instructions (Recommended). This option sends the user an email addressed from Amazon Web Services, with the subject line Invitation to join IAM Identity Center (successor to AWS Single Sign-On). The email will come from either no-reply@signin.aws or no-reply@login.awsapps.com. Add these email addresses to your approved senders list so that they are not treated as junk or spam.

3. In Primary information section, complete the required user details:  

• Email address – Enter an email address for the user where you can receive the email. Then, enter it again to confirm it. Each user must have a unique email address.
  

Tip: During testing, you might be able to use email subaddressing to create valid email addresses for multiple fictitious users. If your email provider supports it, you can create a new email address by appending the plus sign (+) and then numbers or characters to your current email address, such as someone@example.com, someone+1@example.com, and someone+test@example.com. All of those email addresses would result in an email being received at the same email address. 

• First name – Enter the first name for the user.
• Last name – Enter the last name for the user.
• Display name – This is automatically filled in with the first and last name of the user. If you want to change the display name, you can enter something different. The display name is visible in the sign-in portal and users list. 
• Complete the optional information if desired. It isn’t used during this tutorial and can be added later.

4. Select Next.

User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

1. Select Create group.

2. A new browser tab opens to display the Create group page.

3. Under Group details, in Group name, enter Admins.

4. Select Create group.

Your new user exists but does not have access to any resources, services, or applications, so the user can't replace your root user for daily administrative tasks yet. Let’s give your new user access to your AWS account. Since we put the user into a group, we will assign the group to an account and then we will add a permission set that defines what the members of the group can access.

We will still be using the root user credentials for this procedure.

Sign in to your AWS account using the root user credentials.

On the AWS accounts page under Organizational structure, your root is displayed with the test account underneath it in the hierarchy. Select the check box for your test account, then select Assign users or groups.

The Assign users and groups workflow displays. It consists of the following steps: 

For Step 1: Select users and groups select the Admins group you created previously in this tutorial. Then choose Next.

For Step 2: Select permission sets, select Create permission set to open a new tab that steps you through the three sub-steps involved in creating the permission set.

A new browser tab opens displaying Step 1: Select permission set type. Make the following selections:

1. For Permissions set type, select Predefined permission set
2. For Policy for predefined permission set, select AdministratorAccess
3. Then choose Next to continue.

For Step 2: Specify permission set details, keep the default settings, and choose Next. The default settings create a permission set named AdministratorAccess with session duration set to one hour. 

For Step 3: Review and create, verify that the Permission set type uses the AWS managed policy AdministratorAccess. Choose Create.

You are returned to the Permission sets page. A notification appears at the top of the page informing you that the permission set was successfully created. Select X to close the tab.

On the Assign users and groups browser tab, for Step 2: Select permission sets, in the Permission sets section, select Refresh. The AdministratorAccess permission set you created appears in the list. Select the checkbox for that permission set and then choose Next. 

For Step 3: Review and submit, review the selected users and groups and permission set, then choose Submit.

The page updates with a message that your AWS account is being configured. Wait until the process completes.

You are returned to the AWS accounts page in IAM Identity Center. A notification message informs you that your AWS account has been reprovisioned and the updated permission set applied. 

You can see in the Organization structure section that your AWS account is now the management account under the root of the AWS organization. In this tutorial, we are using a placeholder AWS account name Test-acct. You will see the name of your AWS account instead.  

Congratulations, your user can now sign in to your AWS access portal and access resources in your AWS account. 

Now you are ready to sign in using your new administrative user. If you tried to sign in previously you would have only been able to establish your password and enable up multi-factor authentication (MFA) for your user, because no other permissions had been granted to the user. Now, the user will have full permissions to your AWS resources, but they will still need to configure a password and set up MFA, so let’s walk-through those procedures.

A new user email was sent to the email address you specified when you created the user. The email contains three important items:

1. A link to accept the invitation to join
2. The URL of your AWS access portal
3. Your username that you will use to sign in

Open the email and record the URL of the AWS access portal and the username for future use. Then select the Accept invitation link. 

Tip: If you don't see the Invitation to join IAM Identity Center email in your inbox folder, check your spam, junk, and deleted items (or trash) folders. All emails sent by the IAM Identity Center service will come from either the address no-reply@signin.aws or no-reply@login.awsapps.com. If you can’t find the email, sign in as the root user and reset the Identity Center user’s password. For instructions, see Reset an IAM Identity Center user password. If you still don’t receive the email, reset the password again and choose the option to Generate a one-time password that you can share with the user instead.

The link opens a browser window and displays the New user sign up page.

In the New user sign up page, specify a new password.

Passwords must be:

• 8 – 64 characters long
• Composed of uppercase and lowercase letters, numbers, and non-alphanumeric characters.

After confirming the password, select Set new password.

A short delay occurs while the user is provisioned. 

The AWS console opens.

Along the top bar, next to the User name, select MFA devices to set up MFA.

The Multi-factor authentication (MFA) devices page opens. Choose Register device.

On the Register MFA device page, select the MFA device to use with the account. Options not supported by your browser or platform are dimmed and can’t be selected.

We will walk through the screens for the Authenticator app option. This is similar to the process you followed when you set up the MFA device for your root user in the first part of the tutorial. The difference is that this MFA device is being registered with IAM Identity Center instead of IAM. If you select a different MFA device, follow the instructions for the device you selected. 

Select the Show QR code link to show a unique QR code for your AWS organization. If you can't scan the QR code, choose the Show secret key link to display a text key that you can enter into the Authenticator app to identify your organization. Either scan the QR code with your authenticator app or enter the code in your authenticator app to link your authenticator device to your organization. 

Once your authenticator has established the link to your organization, it will start generating secret codes that are good for a limited number of seconds. In Authenticator code, type the code you see in the app, then choose Assign MFA. 

Note: When registering an MFA device with IAM identity Center, only one authenticator code is required for registration.

Your device is successfully registered, select Done. 

From the access portal select the AWS account to manage. You are shown the permissions configured for your account with two connection options.

• Select Management console to open the AWS Management Console and manage your AWS resources using the service console dashboards.
• Select Command line or programmatic access to get credentials to access AWS resources programmatically or from the AWS CLI. To learn more about getting these credentials, see Getting IAM Identity Center user credentials for the AWS CLI or AWS SDKs. 
  

For this tutorial, select Management console.

The AWS management console opens. As a user with administrative access you can add services, add additional users, and configure policies and permissions. You no longer need to use your root user to accomplish these tasks.