The reason to do that is simple. If you are using the ROOT account for your daily basis routines and if for some reason someone takes your password or your credentials, this guy will be able to do a lot of administrator things also DELETE your account.
Well, I can enumerate a lot of reasons why you should not use your root account, but I prefer to stop talking and go to the solution.
Accessing the IAM — Identify and Access Management
Log into your account and on the main screen you can expand the "All Services" option, where you will find a group for "Security, Identity, & Compliance" -> "IAM", or you can type "IAM" on the field "Find Services"
I'll give you a brief about the IAM screen:
(1) The sign-in URL:
This URL will be used to go directly to the login form of your account (where you will be able to use your customized users).
As you can see, the URL has your account number as default.
You can customize it clicking on "Customize" on the right and set a valid name for URL format. (<- This is important )
After setting your customized alias, you can click on "Yes, Create" and then the system will check if this alias is available and close the screen if everything is ok.
(2) The "Security Status" checklist:
That area is a checklist to help you to have an overview of your account security level.
Our goal today is replacing all the orange warnings by the green checks on all items ;)
(3) The IAM menu:
We will browse through these options during the configuration of our account.
"Delete your root access keys":
As you can see the first item already is green. It’s because the ROOT account doesn’t start with ACCESS_KEY_ID and SECRET_ACCESS_KEY, the AWS credential to use on the command line (aws-cli), SDKs or 3rd part service integrations.
Now, we will go from the bottom to top in the list. It will make more sense.
"Apply an IAM password policy":
You can click on that item (it will expand the table) and you will see a button called “Manage Password Policy”, you can click on it.
Everyone that use services on the internet is used to it. Password policies are rules that you have to follow when creating a password. (Minimum length, uppercase, lowercase, special character, etc.)
Configure in a way that makes sense for you and click on "Apply password policy". From now, any password created by your users will have to comply with these rules.
"Use groups to assign permissions":
It's hard to handle permissions one by one for each user in your corporation, so that's why is so important (an useful) to use groups to manage the permissions.
Of course that in some outstanding situations you have to add permissions for a specific user, but try to avoid that.
You can click on that item (it will expand the table) and you will see a button called “Manage Groups”, you can click on it. (Or you can use the menu on the left, "Groups")
I will create a group for the administrators. Users under this group will have permission to do anything, but with some limitations, because they are not the ROOT user.
Click on the "Create New Group" button;
Set a name for your group and click on "Next Step" (in the bottom right);
Attach the policy to the group.
AWS has a lot of pre-defined policies (AWS Managed Policy) to easy add permission for a role, user or groups. (It deserves an entire article because is a long and very important topic to understand). You can find more content about IAM Policies here!)
The screen starts showing all the policies (AWS Managed Policies and Customized Policies, yes you can create your own policies)
For our case, we will select the first one, "AdministratorAccess" policy and click on the “Next Step” button to continue;
Review your settings and after it, click on the "Create Group" button. You will see the group created on the Groups list.
"Create individual IAM users":
Now is time to create your user for the daily basis use.
OK, I know! This user is so important as the ROOT because it has administrator permissions, but at least if someone hacks your password or even your credentials, you still have the ROOT account to delete this user and recreate a new one. Ah, and this user can’t delete the account :)
You can click on that item (it will expand the table) and you will see a button called “Manage Users”, you can click on it. (Or you can use the menu on the left, “Users”)
Click on "Add user" button;
Set the username (this username is specific to use under your account through the sign-in URL) and choose the access type.
Check this option and the system will generate an ACCESS_KEY_ID and a SECRET_ACCESS_KEY for use with aws-cli, SDKs and 3rd part services as talked before.
"AWS Management Console access" (Web console):
Check this option and the system will ask you if you want to set a password or generate a new one. Also, you can check the checkbox to force the user to set a new password on its first login.
I'll keep the defaults and go to the next step clicking on "Next: Permissions" button;
Now you have three options to define permissions to a user:
- Add user to group
- Copy permissions from existing user
- Attach existing policies directly
For this example, we will add the user to the previously created group and this way the user will gain the permissions configured for that group.
Check the "Administrators" group and click "Next: Tags";
Tags are optional, but according to AWS:
You can use the tags to organize, track, or control access for this user. Learn more
We will do nothing this time. Click on the "Next: Review" to continue.
Review your settings and after it, click on the “Create User” button.
On the confirmation screen, you have access to some important data:
- Sign-in URL
- Your user
- Generated password
You can send it by E-mail or downloading the .csv file. (Or even clicking on “SHOW”, getting the information and sending for the user).
Well done! Now we have an administrator user without being the ROOT user.
As we have configured, in your first log in the system will ask you to change the password. (You can disable it on cases like this (when the user is for yourself), but for users in your corporation is highly recommended use this feature.)
Changing the password:
Everything OK. Logged!
Now you can log out and log in again using the ROOT account to finish the checklist.
IMPORTANT: Pay attention to the log in screen, you probably will have to click on "Sign-in using root account credentials" to do the ROOT login.
Once you back to the IAM using your ROOT account you will see something like that:
"Active MFA on your root account":
In my opinion, that is the most important thing to do and not only on the ROOT account. You can also configure the MFA (Multi-Factor Authentication) for normal users too.
In summary, when you activate the MFA (sometimes you will find it as 2FA — Two-factor Authentication in other systems) after you inform your username and password, you will have to use another device synchronized with your account to inform a second password. (usually dynamically generated)
OK let's go. Click on that item (it will expand the table) and you will see a button called “Manage MFA”, you can click on it.
A pop-up will show up to ensure that you really wanna access a sensitive area =) Click on the "Continue to Security Credentials" button.
Once you click the button, you can expand the table for the "MFA" and click on the "Active MFA" button.
This will open a pop-up with some MFA options (You can check all supported MFA devices here).
For this example, we will use the "Virtual MFA device", which in summary is an app installed on your phone (like Google Authenticator). As I mentioned before, you can check here all supported MFA devices, including the virtuals.
On AWS, after clicking the "Continue" button, you will see three steps to configure the Virtual MFA.
- Install in your phone the Google Authenticator
- Click on the link to show the QR code to configure your app
- After configuring your app scanning the QR code, put the next two passwords generated by the app to synchronize your MFA algorithm. (Check the phone images below)
On your phone:
Click on "+" to add a new account. The app will give you some options to configure it. In my case, I chose "Scan barcode"
Scanning the barcode on the AWS screen;
Amazon Web Services account created. That is the point where you get the next two codes generated by the App and fill the form on the screen to finalize the process.
After filling the field and click on the "Assign MFA" button you will see that message confirming that everything is ok.
The system will not say something about it, but now you have to Log out and Log in again, and now, using your MFA virtual device after put your password.
If you reached this point probably you have 5/5 green checks.
Hope that this article could help you in some way to increase the security of your account and to learn a little bit more about the AWS IAM.
Feel free to leave your comments.
See you next time!