AWS From Scratch 02 - Securing your Account

Now that you have signed up for AWS and provided your credit card information, you want to make sure that your account is properly setup and that you are using the best security so that your account is less likely to be hacked.

The Root User

When you first create your account you setup a password for the root user, which is the super user for the account.

The root user has full access to everything in the account, including billing. It's best practice to not use the root user for daily tasks.

In a large organization multiple users will be created each with a small portion of the permissions of root. So for example a developer might have certain privileges needed for just the type of development they are doing, while an accountant might only have access to the billing information.

There are very few tasks that require you to login as the root user, for everything else you should create another user.

Securing Root

The first thing we should do is protect the root account with multi factor authentication. This is to makes sure that no one other than the holder of the second factor (phone, fob, google authenticator) can login to your root account.

Never share your root password with anyone. If multiple people need access to your account, you will need to create user accounts for each person that needs access.

Login as Root

First login with the root user email and password you used when you created your account.

Navigate to https://aws.amazon.com/ and click "Sign In".

Make sure "Root user" is selected, then enter your email address and click "Next".

Enter your password and click "Sign In".

Note: the little icon to the right of the password field is my password manager 1Password. You should be using a password manager to keep all your passwords unique and hard to hack.

Choosing an MFA Method

AWS supports multiple different methods for multi factor authentication, and I'm sure the list will continue to grow.

For the latest supported MFA methods see this AWS page: https://aws.amazon.com/iam/features/mfa/

I use 1Password as my MFA device even though it is not listed. Most google authenticator type MFA software solutions that require you to scan a QR code should work.

Once you have decided on an MFA method and have your method ready, move on to the next step.

Enable MFA for Root

When you sign in, you will be taken to the "AWS Management Console". The name of your account will be displayed at the upper right hand corner of the console.

Click the name of your account and then from the drop down list click on "Security credentials".

Amazon really wants you to secure your account. On the security credentials page there are three different buttons for setting up MFA!

Click on any one of these buttons, they will all take you to the same place.

Choose the method you plan to user and give it a name and then click next.

The next screen will be different depending on the type of device you choose.

If you chose "Authenticator app" you will see this screen when you click next.

Follow the instructions for your method of MFA and then click "Add MFA".

This should take you back to the "Identify and Access Management (IAM)" console, and you should see your newly create device.

Testing MFA

Now that everything is setup, log out of your AWS account by clicking on your account name in the upper right hand corner and clicking on the "Sign out" button.

Go ahead and click "Sign In" to login again as root. Follow all the same steps we used to sign in as root listed at the top of this post.

You will notice that after you type in your password this time, you will now be prompted for your MFA code. Type in your code and click the "Submit" button to login.

Congratulations, your root user is now protected with MFA, and the likelihood of someone using your account without your knowledge or permission has drastically been reduced.

Choose a Region

Everything in AWS either belongs to a region or is a global service. Think of a region as an area that contains one or more data centers that contain multiple servers that supply the services you will be using.

Consider where you are based and what types of services you would like to create, and where you would like to create them. For example, if you want to setup a web application, are most of your customers in the United States on the west coast, or are they in Ireland or Tokyo? If I want to setup a service to manage my pizza delivery service in Australia, I would pick the region in Sydney ap-southeast-1, not the region in Paris.

If you are just using this account for development you want to pick a region that is close to your home so you can get the best most responsive services.

To choose a region to work in click on the region name at the top (just to the left of your account name), and pick your desired region.

After you have chosen a region it should show up at the top of the screen next to your account name.

Always check that you are in the correct region before creating new services.

Create a User 

It's critical that we avoid using the root user unless absolutely necessary. This means that we need to setup additional users, as needed, to perform various tasks.

Enable IAM Identity Center

The AWS IAM Identity Center is an expansion of the base IAM (Identity and Access Management) that allows you to create and administer users and groups across multiple AWS accounts and cloud applications.

So if you were a large company that had several subsidiaries you might want to have a separate AWS account for each subsidiary. Identity Center allows you to manage allow a person to login to all subsidiaries or some subset with a single login. This login can also be used to control access to other cloud applications such as Salesforce and Microsoft 365.

If a company already has a windows network with Active Directory, it can be used as an identity source when setting up Identity Center so that AWS is aware of and can user all existing users and groups.

In this post we will assume that there is no existing directory (e.g. Active Directory) and we will just enable Identity Center.

First make sure you are in the correct region!

Make sure you are logged in as the root user, then type "IAM Identity Center" into the search bar at the top of the management console.

Click on the IAM Identity Center service.

There are a lot of great resources on this page, take a moment to explore.

Once you are ready, click on the "Enable" button to begin setting up the service.

Create an AWS Organization

After clicking enable, this popup window will appear notifying you that Identity Center requires "AWS Organizations".

AWS Organizations is used to manage multiple AWS accounts. It's useful even a small business or personal use. For example you might create an organization and then create two accounts in that organization, one for development, and one for production.

Go ahead and click "Create AWS organization" to set this up.

After a few seconds, the Organization will be created and you will be taken to the "IAM Identity Center" console.

F.Y.I. AWS Organizations is a "Global" service.

Choose your Identity Source

Once your Organization is created you will be taken directly to the "IAM Identity Center" console and the "Dashboard" page should be displayed.

Make sure the region you plan to work in is selected in the upper right corner, and then click "Choose your identity source" to configure how you want AWS to manage your users and groups.

If you have a Microsoft Active Directory Server setup already, then this is where you would configure how it communicates with AWS.

For this walkthrough we will leave the default setting of "Identity Center directory" configured, which means all users we create will sign in through the AWS access portal and will be managed inside of AWS.

Create an Identity Center User

Now that Identity Center has been setup you'll need to create your first user. This will be the administrative user that you will use to login (instead of logging in as root). 

From the "IAM Identity Center" console, choose "Users", then click on the "Add user" button.

Create a user for yourself by filling in the user details

Once you have completed the "Primary information", take a look at the optional details to see if there is anything you would also like to add to this user's information (e.g. phone number, job, address, timezone), then click "Next" (at the bottom right of the screen). This will take you to the groups page

We haven't created any user groups yet, so just click "Next".

Review your choices and then if everything looks good, click "Add user".

Login with Identity Center User

Logout of the AWS Management Console (IAM Identity Center) by clicking on your account name and choosing "Sign out".

This will sign you out of the AWS root user account.

Check you email for an invitation to login with your newly created account. The email should look something like this:

Go ahead and click on "Accept invitation". This will take you to the "New user sign up" page.

Create a long password (20 characters +) then click "Set new password"

A screen will appear for a few moments confirming that your new password was created, then you will be taken to the "Sign in" form.

Type in your Username and click "Next".

Type in your newly created password and then click "Sign In"

Although you have a user account and a password, no permissions have been assigned to you yet, so you are unable to do anything in the management console yet.

Click on the "Sign out" link at the top right of the management console to logout.

Create a Permission Set

Permission sets are how IAM Identity Center groups permissions together so that they can easily be assigned.

Login as root and go to the "IAM Identity Center" console.

Choose "Permission sets" from the menu on the left.

On the permissions sets screen click the "Create permission set" button

Click on "Next", this will create a predefined permission set for AdministratorAccess.

Accept the default permission set details by clicking "Next".

Review the permission set details. By default this permission set limits session time to 1 hour. This limits the length of time you can be logged into the management console before you are automatically logged out.

Click "Create" to create the permission set.

Assign the Permissions Set to Your User

You should still be logged in as the root user and you should be in the "IAM Identity Center" console. If not, login again and navigate here.

Choose "AWS accounts" from the menu on the left.

Take a close look at "Organizational structure".

Here you can see that a folder with the word "Root" represents the organization you created. As you may recall, an organization can contain more than one account, but in our case we only created a single account.

Click on the checkbox to the left of your account name, and then click the "Assign users or groups" button.

Make sure the "Users" tab is selected, then click the checkbox next to the username for the user we just created, and then click "Next".

Click the checkbox to the left of the "AdministratorAccess" permission set to assign this set of permissions to the user we selected in the previous step, then click "Next".

In the review screen, you can see that we have selected a single user and assigned that user the "AdminstratorAccess" permission set. Click Submit.

For a few seconds a notice on your screen will appear letting you know that AWS is applying the changes you requested. You will then be taken back to the accounts screen, where you can see that your changes have been applied.

Enable MFA for Identity Center Users

You need to protect your Identity Center users with MFA just like you did with your root user.

If you aren't already logged in as root and in the "IAM Identity Center" console, login and navigate there.

Choose settings from menu on the left.

On the settings screen make sure to select the "Authentication" tab, then click on the "Configure" button in the "Multi-factor authentication section.

Click "Save changes" to accept the defaults.

You should see a green confirmation at the top of the settings screen showing that your MFA settings have been applied.

From now on all users you create will be required to use MFA.

Login with you User

Now your non-root user account should have administrative privileges, here is how to login.

First, while still logged in as root, navigate to the "Dashboard" in the "IAM Identity Center" console.

Click on the copy icon below "AWS access portal URL", create a bookmark in your browser for this URL, its how you will login to AWS most of the time. Click on the link. Enter you username and password to login.

Click on "AWS Account (1)" to display the account in your organization that you have access to.

Click on your account name, every permission set that has been assigned to you will be listed. Since you have only created a single permission set "AdministratorAccess" this is the only item listed.

Click on the "Management console" link to the right of the "AdministratorAccess" permission set.

This should take you to the management console. Notice in the upper right corner, you will see your permission_set/username. 

User MFA Setup

This user still has not yet setup an MFA device.

Use the bookmark that you saved to navigate to the AWS access portal.

Click on MFA devices to register a device for this user.

Click the "Register device" device button to begin registration.

Register one or more MFA devices as desired (e.g. touch id, and authenticator app).

Once you have completed registration, test your authenticator by trying to login again.

This time you should be prompted to supply an MFA code to sign in.