Once you have created a new account with Amazon Web Services, it's vital that you secure it properly. The most important steps are setting up Security Challenge Questions, configuring Multi-Factor Authentication (MFA) for the root user, and then creating one or more IAM users with which to sign in with (to eliminate the need to sign in as the root user).
To start with, sign in to the AWS Management Console:
- Go to https://aws.amazon.com/
- From the "My Account" menu at the top, click the "AWS Management Console" link
Note - if you instead find yourself on a sign-in page that has fields for "Account", "User Name", and "Password", it means AWS has remembered that you recently signed in as an IAM user for another AWS account. Since you don't want to do that now, click on the link (in very small print below the form) that says "Sign-in using root account credentials"
- In the "E-mail or mobile number" field enter the email address you used for this account
- Select the "I am a returning user and my password is:" option, and in the field below enter the password you designated for this account
- Click the "Sign in using our secure server" button
Security Challenge Questions
The "Security Challenge Questions" are used if you ever need to contact Amazon customer service for help; they will use these to help identify you as the owner of your AWS account.Note that honest answers to many of the canned questions (see below) could be figured out by a third party through a little online research, or even social engineering; however, as it turns out, it is actually not required that the answers you provide be in any way realistic or accurate! In fact, it is much better to pick the questions randomly, and simply make up fictional responses (but don't choose any easily guessed cultural references). Just write down the questions and answers and store them in a secure area. Then, if you ever need to contact customer support, just retrieve the piece of paper so you can read the answers back.
Question 1 choices:From the AWS Management Console, find the account menu (under your account name at the top right):
Question 2 choices:
- What was your childhood phone number including area code? (e.g., 000-000-0000)
- What was your childhood nickname?
- What was the name of your first pet?
- What was the last name of your favorite school teacher?
- What is the name of your favorite childhood friend?
- Security Challenge Response 1?
Question 3 choices:
- What was the first name of your first manager?
- What was the first live concert you attended?
- What is your favorite hobby?
- What is your best friend's first name?
- Security Challenge Response 2?
- In what city does your nearest sibling live?
- What was the name of the first school you attended?
- What is the name of a college you applied to but didn't attend?
- Security Challenge Response 3?
- In what city were you living at age 16?
- In what city was your mother born? (Enter full name of city only)
- In what city was your father born? (Enter full name of city only)
- Click on the "My Account" link
- On the "Configure Security Challenge Questions" sections, click the "Edit" link
- For each of the three items, select the "Question" you have chosen, and type in the "Answer" you've crafted for it
- Click the "Update" button
Multi-Factor Authentication (MFA)
MFA provides a second (time-based) factor for signing in. It is absolutely essential to have it enabled for the root account password. (An earlier article explains more.) For now, I'll explain the process with a"virtual" MFA device; in a future article, I'll cover using a "physical" MFA device.From the AWS Management Console, find the account menu (under your account name at the top right):
- Click the "Security Credentials" link
Note - you will be asked to verify that you really want to go to the security credentials page for your AWS account; since you do, click the "Continue to Security Credentials" button; (and don't worry, IAM Users will be addressed a bit later in this article)
- Expand the "Multi-Factor Authentication (MFA)" section
- Click the "Activate MFA" button
- Select the "A virtual MFA device" option
- Click the "Next Step" button
- Read the instructions, and click the "Next Step" button
- See the QR code
- Transfer the key to your virtual MFA device:
- If you have a QR code scanner app, use it to scan the code on the screen; (I used the "Barcode Scanner" android app; when it scans the QR code, it reads out a URL like "otpauth://totp/root-account-mfa-device@nnnnnnnnnnnn?secret=xxxxx...xxxx", at which point I clicked its "Open Browser" button; that sent it directly to the "Google Authenticator" app "Save key for" dialog, where I clicked the "OK" button to save the entry)
- If you don't have a QR code scanner app, you can click the "Show secret key for manual configuration" link to expand the section under the QR code on the screen, and transcribe the long value directly into your virtual MFA app
- Either way, you should see the new entry, and a 6 digit numeric value with a timer countdown (the numeric value will change every 30 seconds)
- In the "Authentication Code 1" field enter the first number that is displayed
- In the "Authentication Code 2" field enter the second number that is displayed after some time
- Click the "Activate Virtual MFA" button
- See the message "The MFA device was successfully associated."
- Click the "Finish" button
- Click the "Sign Out" link
- From the "My Account" menu at the top, click the "AWS Management Console" link
Note - if you instead find yourself on a sign-in page that has fields for "Account", "User Name", and "Password", it means AWS has remembered that you recently signed in as an IAM user for another AWS account. Since you don't want to do that now, click on the link (in very small print below the form) that says "Sign-in using root account credentials"
- In the "E-mail or mobile number" field enter the email address you used for this account
- Select the "I am a returning user and my password is:" option, and in the field below enter the password you designated for this account
- Click the "Sign in using our secure server" button
- In the "Authentication Code" field, enter the numeric value from your virtual MFA device
- Click the "Sign in using our secure server" button
Be careful not to lose your phone, uninstall the virtual MFA app, or remove the entry for your account, or you will lose the ability to sign in as the root user. To regain access you would need to go through a process with Amazon customer service (see https://aws.amazon.com/forms/aws-mfa-support). They will call or email you, verifying your answers to the "Security Challenge Questions" you entered earlier, and then you will be able to request removal of the MFA requirement.
IAM Users
Since you want to sign in as the root user as rarely as possible, you will typically want to create one or more IAM users for your regular work, including account administration. (There's more information in a previous article about why this is so.)As a preliminary step, you should enable the special setting that will enable you to grant access to billing information to selected IAM users:
- From the account menu (under your account name at the top right), click on the "My Account" link
- In the "IAM User Access to Billing Information" section, click the "Edit" link
- Select the "Activate IAM Access" option
- Click the "Update" button
- To return to the AWS Management Console, click the cube icon in the upper left
- From the console, under the "Security & Identity" section, click the "Identity & Access Management" (IAM) link
- Click the "Customize" link
- In the "Account Alias" field enter an account nickname to be used in the URL (note that this alias must be valid text for a URL, and must be unique across all AWS customers)
- Click the "Yes, Create" button
- In the left navigation bar, click the "Users" link
- Click the "Create New Users" button
- Enter a name for your user in the first field
- Deselect the "Generate an access key for each user" option (since you won't be using API access at this time, and API access keys can always be added later)
- Click the "Create" button
- Click on the user name
- Click the "Permissions" tab
- Click the "Attach Policy" button
- Select the "AdministratorAccess" option
- Click the "Attach Policy" button
- Click the "Security Credentials" tab.
- In the "Sign-In Credentials" section, click the "Manage Password" button.
- Select the "Assign a custom password" option
- In the "Password" and "Confirm Password" fields enter a super strong password for this IAM user; this password should be completely unique and unrelated to the root user password
- Make sure to deselect the "Require user to create a new password at next sign-in" option
- Click "Apply"
- Still in the "Sign-In Credentials" section, click the "Manage MFA Device" button
- Select the "A virtual MFA device" option
- Click the "Next Step" button
- Read the instructions, and click the "Next Step" button
- See the QR code
- Transfer the key to your virtual MFA device:
- If you have a QR code scanner app, use it to scan the code on the screen; (I used the "Barcode Scanner" android app; when it scans the QR code, it reads out a URL like "otpauth://totp/user@alias?secret=xxxxx...xxxx", at which point I clicked its "Open Browser" button; that sent it directly to the "Google Authenticator" app "Save key for" dialog, where I clicked the "OK" button to save the entry)
- If you don't have a QR code scanner app, you can click the "Show secret key for manual configuration" link to expand the section under the QR code on the screen, and transcribe the long value directly into your virtual MFA app
- Either way, you should see the new entry, and a 6 digit numeric value with a timer countdown (the numeric value will change every 30 seconds)
- In the "Authentication Code 1" field enter the first number that is displayed
- In the "Authentication Code 2" field enter the second number that is displayed after some time
- Click the "Activate Virtual MFA" button
- See the message "The MFA device was successfully associated."
- Click the "Finish" button
- Click the "Sign Out" link
- In the "Account" field verify that the account id or alias is correctly filled in
- In the "User Name" field enter the name of the user you created
- In the "Password" field enter the password you designated for this user
- Click the "Sign In" button
- In the "MFA Code" field, enter the numeric value for the IAM user (not the root user) from your virtual MFA device
- Click the "Submit" button
Since we gave this IAM user the "AdministratorAccess" policy, it has the maximum access that any IAM user can have (which means, of course, that the password and MFA device should be guarded appropriately). From this point on, there are very few activities that would actually require the root user, namely:
- Changing the account name, root user email, or the root user password
- Adding or removing an MFA device for the root user
- API access keys for the root user
- CloudFront key pairs, X.509 certificates, and the canonical user id for S3 ACL's
- Signing up for AWS GovCloud
No comments:
Post a Comment