Cl⛅d Security Lab: Securing Your AWS Free Tier Account With -MFA & Customize Password Policy|| AWS for Beginners-Series I
INTRODUCTION
As cloud computing continues to gain popularity, Amazon Web Services (AWS) has emerged as a leading platform for organizations and individuals. AWS’s flexible services and scalable infrastructure make it an ideal environment for enterprises to design, deploy, and manage their applications. The AWS Free Tier provides an incredible opportunity for beginners just starting out on their AWS journey to explore the platform’s capabilities at no cost.
While the AWS Free Tier provides an excellent starting point, it’s crucial to prioritize security to safeguard your account and the resources within it. In this article series, we will delve into the essential measures that AWS beginners should take to secure their Free Tier accounts effectively. By following these best practices, you can confidently utilize AWS services while mitigating potential security risks.
Once you create an AWS account, you are given a root account with superuser privileges. It is crucial to protect this account, as it can perform any action within your AWS environment, such as billing and changing permissions.
If you don’t have an AWS account, don’t worry watch this video or read this guide.
To enhance the security of your root account, it’s recommended to enable multi-factor authentication (MFA). MFA is an extra layer of security that requires you to provide two or more forms of authentication before granting access to your account. In addition to your password, MFA requires a one-time code generated by an MFA device, such as a smartphone or hardware token.
Enabling MFA for your root account helps prevent unauthorized access and strengthens the security of your AWS environment. It also provides an additional layer of protection against phishing attacks and password breaches.
You can watch a video on AWS Free Tier Overview
Disclaimer
The AWS Management Console is subject to updates and changes over time. The information provided in this lab write-up is based on the console’s state at the time of writing and may not reflect the current user interface or functionality. It is recommended to refer to the official AWS documentation for the most up-to-date instructions when using the AWS Management Console
In a few steps, I’ll demonstrate how to activate MFA and customize your IAM password policy on the AWS Management Console. Let’s dive in 🚀 . . .
📍 Once you are logged in to your AWS console, navigate to the top right and click your account name. Under the menu, select “Security Credentials”.
On the IAM (Identity and Access Management) Page, You get a ⚠️warning message “MFA not Activated for root user”.
📍At the top right, click on “Assign MFA”. It will direct you to a page to add an MFA device.
Here you give the Device name of your choice e.g. My-MFA, G-Auth, etc.
📍 Here, you select the MFA device you want to use for authentication. Usually, the easiest to use is the “Authenticator app” because the code can be easily accessed from your phone, but at the same time, it can also pose a threat because anyone with your phone can access the MFA code as well. But not to worry; that is why it is MFA (multi-factor authentication).
Your password + MFA = layered Security.
📍 You can choose any of the MFA devices of your choice that still archive the same objective. Once DONE, click Next.
Set up device your authenticator app
STEP 1: Install a compatible application such as Google Authenticator, Duo Mobile, or the Authy app on your mobile device or computer. In this lab, we used the “Google Authenticator App”
STEP 2: Open your authenticator app, {“Google Authenticator App” }, click Show QR Code, and then use the app to scan the code.
Alternatively, you can type a secret key. Click “Show secret key” and Add it to the authenticator app.
STEP 3: Fill in two consecutive codes from your MFA device.
📍 You are expected to fill in two different MFA codes. For example as shown above, after scanning the QR code either using any of the compatible applications, You are expected to enter the MFA code 1 as the first code you see on your Authenticator device (123456) Wait for it to expire or refresh, and enter the new code that displays in the Authenticator Device as MFA code 2 (451678).
Once done click on the Add MFA button.
Once the MFA Device is Registered, you get a message “MFA device assigned”
NOTE
You can register up to 8 MFA devices of any combination of the currently supported MFA types with your AWS account root and IAM user. With multiple MFA devices, you only need one MFA device to sign in to the AWS console or create a session through the AWS CLI with that user.
Summary
By implementing MFA and following the security best practices for IAM, you can significantly enhance the security of your AWS environment and protect your valuable data and resources. See AWS Security Credentials in the AWS General Reference.
Customizing IAM Password Policy
STEP I: Navigate to the IAM (Identity and Access Management) Dashboard, and in the navigation pane under Access Management, choose “Account Settings”.
You can set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users’ passwords. If you don’t set a custom password policy, IAM users must set passwords that meet the default AWS password policy.
STEP II: To customize your password policy, click on “Edit” at the top right.
STEP III: Choose the “Custom” password policy.
STEP IV: Set the required password policy settings of your choice and “Save Changes”
Once the password policy is applied, it will automatically be enforced for all IAM users in your AWS account. Users will be required to comply with the policy when creating or changing their password. Hence, if a user tries to create or change their password in violation of the policy, they will receive an error message indicating that the policy requirements were not met.
Read the User Guide: Setting an account password policy for IAM users.
Security Tips
It is worth noting as a beginner that it is never too early to prioritize security. Ensure that you regularly review and update your security measures to stay ahead of potential threats and keep your account and data secure.
