AWS From Scratch 02 - Securing your Account
AWS From Scratch 02 - Securing your Account
Now that you have signed up for AWS and provided your credit card information, you want to make sure that your account is properly setup and that you are using the best security so that your account is less likely to be hacked.
The Root User
When you first create your account you setup a password for the root user, which is the super user for the account.
The root user has full access to everything in the account, including billing. It's best practice to not use the root user for daily tasks.
In a large organization multiple users will be created each with a small portion of the permissions of root. So for example a developer might have certain privileges needed for just the type of development they are doing, while an accountant might only have access to the billing information.
There are very few tasks that require you to login as the root user, for everything else you should create another user.
Securing Root
The first thing we should do is protect the root account with multi factor authentication. This is to makes sure that no one other than the holder of the second factor (phone, fob, google authenticator) can login to your root account.
Never share your root password with anyone. If multiple people need access to your account, you will need to create user accounts for each person that needs access.
Login as Root
First login with the root user email and password you used when you created your account.
Navigate to https://aws.amazon.com/ and click "Sign In".
Enter your password and click "Sign In".Note: the little icon to the right of the password field is my password manager 1Password. You should be using a password manager to keep all your passwords unique and hard to hack.Choosing an MFA Method
AWS supports multiple different methods for multi factor authentication, and I'm sure the list will continue to grow.
For the latest supported MFA methods see this AWS page: https://aws.amazon.com/iam/features/mfa/
I use 1Password as my MFA device even though it is not listed. Most google authenticator type MFA software solutions that require you to scan a QR code should work.
Once you have decided on an MFA method and have your method ready, move on to the next step.
Enable MFA for Root
When you sign in, you will be taken to the "AWS Management Console". The name of your account will be displayed at the upper right hand corner of the console.
Click the name of your account and then from the drop down list click on "Security credentials".
Amazon really wants you to secure your account. On the security credentials page there are three different buttons for setting up MFA!The next screen will be different depending on the type of device you choose.
If you chose "Authenticator app" you will see this screen when you click next.
Follow the instructions for your method of MFA and then click "Add MFA".This should take you back to the "Identify and Access Management (IAM)" console, and you should see your newly create device.
Testing MFA
Now that everything is setup, log out of your AWS account by clicking on your account name in the upper right hand corner and clicking on the "Sign out" button.
Go ahead and click "Sign In" to login again as root. Follow all the same steps we used to sign in as root listed at the top of this post.
You will notice that after you type in your password this time, you will now be prompted for your MFA code. Type in your code and click the "Submit" button to login.
Congratulations, your root user is now protected with MFA, and the likelihood of someone using your account without your knowledge or permission has drastically been reduced.Choose a Region
Everything in AWS either belongs to a region or is a global service. Think of a region as an area that contains one or more data centers that contain multiple servers that supply the services you will be using.
Consider where you are based and what types of services you would like to create, and where you would like to create them. For example, if you want to setup a web application, are most of your customers in the United States on the west coast, or are they in Ireland or Tokyo? If I want to setup a service to manage my pizza delivery service in Australia, I would pick the region in Sydney ap-southeast-1, not the region in Paris.
If you are just using this account for development you want to pick a region that is close to your home so you can get the best most responsive services.
To choose a region to work in click on the region name at the top (just to the left of your account name), and pick your desired region.
After you have chosen a region it should show up at the top of the screen next to your account name.
Always check that you are in the correct region before creating new services.Create a User
It's critical that we avoid using the root user unless absolutely necessary. This means that we need to setup additional users, as needed, to perform various tasks.
Enable IAM Identity Center
The AWS IAM Identity Center is an expansion of the base IAM (Identity and Access Management) that allows you to create and administer users and groups across multiple AWS accounts and cloud applications.
So if you were a large company that had several subsidiaries you might want to have a separate AWS account for each subsidiary. Identity Center allows you to manage allow a person to login to all subsidiaries or some subset with a single login. This login can also be used to control access to other cloud applications such as Salesforce and Microsoft 365.
If a company already has a windows network with Active Directory, it can be used as an identity source when setting up Identity Center so that AWS is aware of and can user all existing users and groups.
In this post we will assume that there is no existing directory (e.g. Active Directory) and we will just enable Identity Center.
First make sure you are in the correct region!
Make sure you are logged in as the root user, then type "IAM Identity Center" into the search bar at the top of the management console.
Click on the IAM Identity Center service.
There are a lot of great resources on this page, take a moment to explore.
Once you are ready, click on the "Enable" button to begin setting up the service.
Create an AWS Organization
After clicking enable, this popup window will appear notifying you that Identity Center requires "AWS Organizations".
AWS Organizations is used to manage multiple AWS accounts. It's useful even a small business or personal use. For example you might create an organization and then create two accounts in that organization, one for development, and one for production.Go ahead and click "Create AWS organization" to set this up.
After a few seconds, the Organization will be created and you will be taken to the "IAM Identity Center" console.
F.Y.I. AWS Organizations is a "Global" service.
Choose your Identity Source
Once your Organization is created you will be taken directly to the "IAM Identity Center" console and the "Dashboard" page should be displayed.
Make sure the region you plan to work in is selected in the upper right corner, and then click "Choose your identity source" to configure how you want AWS to manage your users and groups.If you have a Microsoft Active Directory Server setup already, then this is where you would configure how it communicates with AWS.
For this walkthrough we will leave the default setting of "Identity Center directory" configured, which means all users we create will sign in through the AWS access portal and will be managed inside of AWS.
For this walkthrough we will leave the default setting of "Identity Center directory" configured, which means all users we create will sign in through the AWS access portal and will be managed inside of AWS.
Create an Identity Center User
Now that Identity Center has been setup you'll need to create your first user. This will be the administrative user that you will use to login (instead of logging in as root).
From the "IAM Identity Center" console, choose "Users", then click on the "Add user" button.
Create a user for yourself by filling in the user detailsOnce you have completed the "Primary information", take a look at the optional details to see if there is anything you would also like to add to this user's information (e.g. phone number, job, address, timezone), then click "Next" (at the bottom right of the screen). This will take you to the groups page
We haven't created any user groups yet, so just click "Next".Review your choices and then if everything looks good, click "Add user".
Login with Identity Center User
Logout of the AWS Management Console (IAM Identity Center) by clicking on your account name and choosing "Sign out".
This will sign you out of the AWS root user account.
Check you email for an invitation to login with your newly created account. The email should look something like this:
Go ahead and click on "Accept invitation". This will take you to the "New user sign up" page.Create a long password (20 characters +) then click "Set new password"
Type in your newly created password and then click "Sign In"Although you have a user account and a password, no permissions have been assigned to you yet, so you are unable to do anything in the management console yet.A screen will appear for a few moments confirming that your new password was created, then you will be taken to the "Sign in" form.
Type in your Username and click "Next".Click on the "Sign out" link at the top right of the management console to logout.
Create a Permission Set
Permission sets are how IAM Identity Center groups permissions together so that they can easily be assigned.
Login as root and go to the "IAM Identity Center" console.
Choose "Permission sets" from the menu on the left.
On the permissions sets screen click the "Create permission set" buttonClick on "Next", this will create a predefined permission set for AdministratorAccess.
Accept the default permission set details by clicking "Next".
Click "Create" to create the permission set.
Assign the Permissions Set to Your User
You should still be logged in as the root user and you should be in the "IAM Identity Center" console. If not, login again and navigate here.
Choose "AWS accounts" from the menu on the left.
Take a close look at "Organizational structure".Here you can see that a folder with the word "Root" represents the organization you created. As you may recall, an organization can contain more than one account, but in our case we only created a single account.
Click on the checkbox to the left of your account name, and then click the "Assign users or groups" button.
Make sure the "Users" tab is selected, then click the checkbox next to the username for the user we just created, and then click "Next".Click the checkbox to the left of the "AdministratorAccess" permission set to assign this set of permissions to the user we selected in the previous step, then click "Next".In the review screen, you can see that we have selected a single user and assigned that user the "AdminstratorAccess" permission set. Click Submit.
For a few seconds a notice on your screen will appear letting you know that AWS is applying the changes you requested. You will then be taken back to the accounts screen, where you can see that your changes have been applied.
Enable MFA for Identity Center Users
You need to protect your Identity Center users with MFA just like you did with your root user.
If you aren't already logged in as root and in the "IAM Identity Center" console, login and navigate there.
Choose settings from menu on the left.On the settings screen make sure to select the "Authentication" tab, then click on the "Configure" button in the "Multi-factor authentication section.Click "Save changes" to accept the defaults.You should see a green confirmation at the top of the settings screen showing that your MFA settings have been applied.
From now on all users you create will be required to use MFA.
Login with you User
Now your non-root user account should have administrative privileges, here is how to login.
First, while still logged in as root, navigate to the "Dashboard" in the "IAM Identity Center" console.
Click on the copy icon below "AWS access portal URL", create a bookmark in your browser for this URL, its how you will login to AWS most of the time. Click on the link. Enter you username and password to login.Click on the "Management console" link to the right of the "AdministratorAccess" permission set.
This should take you to the management console. Notice in the upper right corner, you will see your permission_set/username. User MFA Setup
This user still has not yet setup an MFA device.
Use the bookmark that you saved to navigate to the AWS access portal.
Click the "Register device" device button to begin registration.
Register one or more MFA devices as desired (e.g. touch id, and authenticator app).Once you have completed registration, test your authenticator by trying to login again.
This time you should be prompted to supply an MFA code to sign in.
Comments
Post a Comment