In the first blog of this series, I tried to shed some light on the basic know-hows of the security best practices, that should be followed while configuring the AWS Account’s Password policy.
Through this new chapter, I’ll provide some insights on what best practices can be followed with regards to the root user of an AWS Account.
What is a root user ?
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. So basically the identity used for the account creation is the root user. You can sign in as the root user using the email address and password that you used to create the account.
The root account is the most privileged AWS account; it has unrestricted access to all resources in the AWS account.
Security best practices for a root user :
a) Avoid the use of root account !…
Surprising right ? There may be two questions that instantly come up : WHY and HOW ?
WHY to avoid the use of root account ?
As mentioned earlier, the root account is the most privileged account with all the access, and hence compromise of a root account potentially means a transfer of ownership, as the attacker has the privilege to change the root password and keep the account.
So, it is recommended to avoid/minimize the use of root account.
HOW to access the AWS Console then, if not the root account ?
- One can create IAM users, following the **Principle of Least Privilege, and use them to access the AWS Console.
** The Principle of Least Privilege is the idea that at any given point in time, a user, program, or process should have only the bare minimum privileges necessary to perform its function.
- It may not be feasible for large organizations to create IAM users for each and every account, so instead they can make use of identity providers and enable only federated users to access the AWS console.
b) Setup root account usage alarms.
Using Amazon CloudWatch alarms to detect AWS Root Account usage will help you monitor AWS (root) account activities. You can identify and act on activities which can lead to unauthorised access or other security breaches.
c) Delete your root account access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
This practice eliminates the risk of root account access key compromise and thereby preventing unprecedented CLI access to the attacker.
Instead, it is recommended to use the Access Keys of an IAM user with the required permissions.
d) Activate MFA on your root account.
Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. An MFA device signature adds an extra layer of protection on top of your existing root credentials making your AWS root account virtually impossible to penetrate without the MFA generated passcode.
Configuring Security Best Practices for the Root User:
a) Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
b) On the IAM Dashboard, you can find a red warning symbol with a message saying Delete your root access keys, if the root access keys are in use.
c) Click on Manage Security Credentials, and on the Your Security Credentials Page, expand the Access Keys tab, and Delete your Root Access Keys.
d) On the same page, expand the Multi-factor Authentication tab, and click Activate MFA. Now choose the MFA device of your choice and Continue:
e) Install any autheticator app, from the list provided here, click Show QR Code, scan it in the installed authenticator app, and enter 2 consecutive MFA codes generated by the app and click on Assign MFA.
f) Once done, the next time you login into the AWS Console using the root account, you’ll have to provide the MFA code as follows:
This is how, you can configure Security Best Practices for the Root User and enhance the security of the AWS Account.
Note : I’ll provide more insights on IAM users and how to set up alarms in the upcoming blogs. So, stay tuned!!!
Please feel free to leave your comments and suggestions …
