Let’s Secure the AWS Default Root-User
Best practice: AWS best practices include some immediate changes to protect the AWS default root-user.
These protections are located under the IAM (Identity and Access Management) service in AWS, which allows you to manage access to AWS services in your account.
We have to do some quick configuration in our account.
- Set an MFA
- Change the password policy
- Create a group and an administrator user because as per best practices is not advised to work in the console with the root user. Please read the article on How to create new users
Let’s set the Root-user’s account MFA
AWS security best practice includes setting up MFA (multifactor authentication) on your root
account. The root account can cancel your account, change the contact information, and delete
resources from your account. It is important to set up MFA (multifactor authentication) on this and
any other user in your account that has a great deal of administrative access. Click the down arrow
next to “Activate MFA on your root account,” click “Manage MFA,” and follow the instructions.
- Click on set MFA for the AWS Default Root-User
- Choose “Virtual MFA device” (your cell phone) and click Continue.
- You will now set up your virtual MFA device:
- Follow the link under Step 1 to set up an application on your phone to use for MFA. Scroll to the
middle of the page and choose an application that works with your device. Follow the
instructions to install the application on your device.
Note: Google Authenticator is likely the most popular choice at the time of this writing. Usually
it’s just a matter of going to the app store on your device, searching for “Google Authenticator,”
and choosing to install it.
- Please google Authenticator and Scan the QR Code to add your AWS account to the authenticator app.
- Enter the numeric code from the authenticator into the AWS Console. Then wait for a new code to appear in the authenticator. Enter the second code. Then click “Assign MFA.”
Critical: Protect this QR code. Anyone with access to the QR code can add it to their own
Quick TIP: Companies using virtual MFA to protect their root account should print out the QR code, store it in a safe or safety deposit box, and implement a two-person access control policy.
At this point, you have added MFA to your root account. From now on, you’ll need to enter the
code from the authenticator application on your phone to log in to your account.
- Let’s Configure the password policy