Setting up your AWS Environment
GETTING STARTED GUIDE
Module 2: Securing Your AWS Account
In this module, you will learn best practices for securing your AWS account.
When setting up a new AWS account, you need to secure the root user and create additional AWS IAM users to log into the account. The root user is a special account that has full access to the account, and can perform all actions, including changing the payment methods, or closing the account. Due to this, it is recommended to secure it with 2-factor authentication, and set up additional IAM users to log in with. This module will cover securing the root user, and setting up IAM users.
What You Will Learn
- How to secure the root user account
- Setting up additional IAM users
Securing the Root User
Once logged into the newly created AWS account, type IAM in the search box at the top center of the page, then click on IAM. There will be a prompt under "Security alerts" to secure the root user with Multi-factor authentication (MFA). Click on Enable MFA, then on Activate MFA on the next screen.
You will now need to choose between the available MFA options. To see an overview of the options, please read the Multi-factor Authentication guide. If unsure which option to pick, choose Virtual MFA device and install one of the apps available for your mobile phone. Please take note of how the Authenticator app you chose handles backups and restores as in the future you might need to be able to set the app up on a different phone. Your root user login has now been secured.
Setting up additional users and roles
It is considered a security best practice to not use your root account for day-to-day use, but instead create separate users for specific roles and functions. To set one up, you will first create an IAM User group - this will have a set of permissions that applies to any user that is part of the group. Click on User groups in the left side navigation, then on Create group. Enter the group name, e.g. "administrators", then scroll down to Attach permissions policies. Search for "AdministratorAccess", then check the box next to the policy with the name "AdministratorAccess", scroll down and click on Create Group.
Next, we will create an IAM user by clicking on Users in the left side navigation bar, then clicking on Add user. After entering a username, you need to select the AWS access type. Programmatic access will create an access key ID and secret pair for use with the AWS CLI, CDK and other applications and the AWS Management Console access will allow the user to log into the AWS Console for this account. For this guide, select both of these options.
Click on Next to add the user to the group we created, select it from the list, then click on Next:Tags.
Tags are useful to search for resources across services, or to add metadata like department. For our use case, click on Next: Review without adding a tag. You can now review the values set for the user you are creating before actually creating it. You will notice there is an additional managed policy called "IAMUserChangePassword" added beneath the "administrators" one we created - this is added to any user where the option to force them to change their password was selected as not all IAM policies may have the required permissions in them.
Click on Create user to create the user. You will now see the confirmation screen for the user, but DO NOT click the Close button yet. The auto-generated password and the secret access key for API access can only be accessed from this screen once. Write down the Access key ID, Secret access key and Password - we will use them in the next module of this guide. Afterwards, click on Close.
Before we log out and start using our new IAM user, we have two more steps to complete. The first is to set an alias for our account to make it easier to remember than the 12 digit account ID. To set it, click on Dashboard in the left navigation bar, then click on Create under the "AWS Account" section in the right panel. You can now set an alias for your account - this needs to be globally unique accross all AWS accounts, so your first choice may not be available.
Click on Save to set the value, and then copy the URL generated for later use in this guide. It will have the format of https://<your-text>.signin.aws.amazon.com/console.
The last step that needs to be completed is to enable any regions that you may need to use. This only applies to regions launched after 20 March 2019. This currently includes:
- Africa (Cape Town)
- Asia Pacific (Hong Kong)
- Europe (Milan)
- Middle East (Bahrain)