Four Things to Do as Soon as You Sign up for AWS
I’ve used AWS for close to four years now at work, and recently signed up for a personal AWS account. I was pleasantly surprised by a few defaults they’ve changed over the years, like VPC by default.
However, there were a handful of things that were not set up during sign up that I think everyone should do:
- Turn on two-factor for your root account. The email and password you just used to sign up are considered the “root account” in AWS. You can set up two factor for this login from the Identity and Access Management (IAM) home page. People love hacking into AWS accounts to run nefarious compute tasks (e.g., mining bitcoin), so logins, especially your root login, should be locked down.
- Create an individual IAM user instead of your root account. For the vast majority of use cases you should not log in to AWS with your root account, since it allows unrestricted access to all AWS services. AWS has a great guide for setting up a non-root administrator account. It takes less than five minutes to set up. Make sure to enable two-factor on this user as well.
- Bookmark your account’s custom sign-in URL. One way to ensure you don’t log in with your root account is to make sure you log in at the custom URL for your account. The URL is listed on your IAM home page and should look like https://XXXXXXX.signin.aws.amazon.com/console.
- Enable password expiration. From the IAM home page, you can create a password policy that will force you to change your password after a certain time period. I set mine to 180 days. I wish more services encouraged this!
By the end of this exercise your IAM home page should look like this: