Pages

Wednesday, March 16, 2016

Your First AWS Account (3/3) - Secure It

(Part 3 of 3 - see previous post if you missed it)

Once you have created a new account with Amazon Web Services, it's vital that you secure it properly.  The most important steps are setting up Security Challenge Questions, configuring Multi-Factor Authentication (MFA) for the root user, and then creating one or more IAM users with which to sign in with (to eliminate the need to sign in as the root user).

To start with, sign in to the AWS Management Console:
You should be on the "Sign In or Create an AWS Account" page.
Note - if you instead find yourself on a sign-in page that has fields for "Account", "User Name", and "Password", it means AWS has remembered that you recently signed in as an IAM user for another AWS account.  Since you don't want to do that now, click on the link (in very small print below the form) that says "Sign-in using root account credentials"
  • In the "E-mail or mobile number" field enter the email address you used for this account
  • Select the "I am a returning user and my password is:" option, and in the field below enter the password you designated for this account
  • Click the "Sign in using our secure server" button
Now, you should be signed in to the AWS Management Console.

Security Challenge Questions

The "Security Challenge Questions" are used if you ever need to contact Amazon customer service for help; they will use these to help identify you as the owner of your AWS account.

Note that honest answers to many of the canned questions (see below) could be figured out by a third party through a little online research, or even social engineering; however, as it turns out, it is actually not required that the answers you provide be in any way realistic or accurate!  In fact, it is much better to pick the questions randomly, and simply make up fictional responses (but don't choose any easily guessed cultural references).  Just write down the questions and answers and store them in a secure area.  Then, if you ever need to contact customer support, just retrieve the piece of paper so you can read the answers back.
Question 1 choices:
  • What was your childhood phone number including area code? (e.g., 000-000-0000)
  • What was your childhood nickname?
  • What was the name of your first pet?
  • What was the last name of your favorite school teacher?
  • What is the name of your favorite childhood friend?
  • Security Challenge Response 1?
Question 2 choices:
  • What was the first name of your first manager?
  • What was the first live concert you attended?
  • What is your favorite hobby?
  • What is your best friend's first name?
  • Security Challenge Response 2?
  • In what city does your nearest sibling live?
Question 3 choices:
  • What was the name of the first school you attended?
  • What is the name of a college you applied to but didn't attend?
  • Security Challenge Response 3?
  • In what city were you living at age 16?
  • In what city was your mother born? (Enter full name of city only)
  • In what city was your father born? (Enter full name of city only)
From the AWS Management Console, find the account menu (under your account name at the top right):
  • Click on the "My Account" link
You will be taken to the "My Account" page.
  • On the "Configure Security Challenge Questions" sections, click the "Edit" link
  • For each of the three items, select the "Question" you have chosen, and type in the "Answer" you've crafted for it
  • Click the "Update" button

Multi-Factor Authentication (MFA)

MFA provides a second (time-based) factor for signing in.  It is absolutely essential to have it enabled for the root account password.  (An earlier article explains more.)  For now, I'll explain the process with a"virtual" MFA device; in a future article, I'll cover using a "physical" MFA device.

From the AWS Management Console, find the account menu (under your account name at the top right):
  • Click the "Security Credentials" link
Note - you will be asked to verify that you really want to go to the security credentials page for your AWS account; since you do, click the "Continue to Security Credentials" button; (and don't worry, IAM Users will be addressed a bit later in this article)
  • Expand the "Multi-Factor Authentication (MFA)" section
  • Click the "Activate MFA" button
You will see the "Manage MFA Device" dialog box.
  • Select the "A virtual MFA device" option
  • Click the "Next Step" button
  • Read the instructions, and click the "Next Step" button
  • See the QR code
  • Transfer the key to your virtual MFA device:
    • If you have a QR code scanner app, use it to scan the code on the screen; (I used the "Barcode Scanner" android app; when it scans the QR code, it reads out a URL like "otpauth://totp/root-account-mfa-device@nnnnnnnnnnnn?secret=xxxxx...xxxx", at which point I clicked its "Open Browser" button; that sent it directly to the "Google Authenticator" app "Save key for" dialog, where I clicked the "OK" button to save the entry)
    • If you don't have a QR code scanner app, you can click the "Show secret key for manual configuration" link to expand the section under the QR code on the screen, and transcribe the long value directly into your virtual MFA app
  • Either way, you should see the new entry, and a 6 digit numeric value with a timer countdown (the numeric value will change every 30 seconds)
  • In the "Authentication Code 1" field enter the first number that is displayed
  • In the "Authentication Code 2" field enter the second number that is displayed after some time
  • Click the "Activate Virtual MFA" button
  • See the message "The MFA device was successfully associated."
  • Click the "Finish" button
It's important to verify that MFA is, indeed, configured properly for the root user.  Find the account menu (under your account name at the top right):
  • Click the "Sign Out" link 
You should be on the main AWS page.
  • From the "My Account" menu at the top, click the "AWS Management Console" link
You should be on the "Sign In or Create an AWS Account" page.
Note - if you instead find yourself on a sign-in page that has fields for "Account", "User Name", and "Password", it means AWS has remembered that you recently signed in as an IAM user for another AWS account.  Since you don't want to do that now, click on the link (in very small print below the form) that says "Sign-in using root account credentials"
  • In the "E-mail or mobile number" field enter the email address you used for this account
  • Select the "I am a returning user and my password is:" option, and in the field below enter the password you designated for this account
  • Click the "Sign in using our secure server" button
Instead of being completely signed in at this point, you will be taken to the "Amazon Web Services Sign In With Authentication Device" page:
  • In the "Authentication Code" field, enter the numeric value from your virtual MFA device
  • Click the "Sign in using our secure server" button
Now, you should be signed in to the AWS Management Console.

Be careful not to lose your phone, uninstall the virtual MFA app, or remove the entry for your account, or you will lose the ability to sign in as the root user.  To regain access you would need to go through a process with Amazon customer service (see https://aws.amazon.com/forms/aws-mfa-support).  They will call or email you, verifying your answers to the "Security Challenge Questions" you entered earlier, and then you will be able to request removal of the MFA requirement.

IAM Users

Since you want to sign in as the root user as rarely as possible, you will typically want to create one or more IAM users for your regular work, including account administration.  (There's more information in a previous article about why this is so.)

As a preliminary step, you should enable the special setting that will enable you to grant access to billing information to selected IAM users:
  • From the account menu (under your account name at the top right), click on the "My Account" link
  • In the "IAM User Access to Billing Information" section, click the "Edit" link
  • Select the "Activate IAM Access" option
  • Click the "Update" button
Now, we'll navigate to the IAM console:
  • To return to the AWS Management Console, click the cube icon in the upper left
  • From the console, under the "Security & Identity" section, click the "Identity & Access Management" (IAM) link
Pay attention to the "IAM users sign-in link"; you should manually create a browser bookmark with this URL (since you won't be able to create a valid bookmark after following that URL, as the browser will have been redirected); however, before creating your bookmark, if you prefer you can change this to a more "friendly" URL:
  • Click the "Customize" link
  • In the "Account Alias" field enter an account nickname to be used in the URL (note that this alias must be valid text for a URL, and must be unique across all AWS customers)
  • Click the "Yes, Create" button
Now, we'll create your first IAM user:
  • In the left navigation bar, click the "Users" link
You will be on the IAM user list page.
  • Click the "Create New Users" button
  • Enter a name for your user in the first field
  • Deselect the "Generate an access key for each user" option (since you won't be using API access at this time, and API access keys can always be added later)
  • Click the "Create" button
You will now be returned to the IAM user list, and you will see your newly created IAM user there. We need to grant full account administrative access to this user:
  • Click on the user name
This will take you to details page for this user:
  • Click the "Permissions" tab
  • Click the "Attach Policy" button
This will take you to the "Attach Policy" page.  You will see there are many predefined access policies available (which are known as "AWS managed policies"):
  • Select the "AdministratorAccess" option
  • Click the "Attach Policy" button
You will be returned to the user details page, where you can see that the policy has been attached.  Now we have to create a password and enable MFA for this user:
  • Click the "Security Credentials" tab.
  • In the "Sign-In Credentials" section, click the "Manage Password" button.
  • Select the "Assign a custom password" option
  • In the "Password" and "Confirm Password" fields enter a super strong password for this IAM user; this password should be completely unique and unrelated to the root user password
  • Make sure to deselect the "Require user to create a new password at next sign-in" option
  • Click "Apply"
  • Still in the "Sign-In Credentials" section, click the "Manage MFA Device" button
  • Select the "A virtual MFA device" option
  • Click the "Next Step" button
  • Read the instructions, and click the "Next Step" button
  • See the QR code
  • Transfer the key to your virtual MFA device:
    • If you have a QR code scanner app, use it to scan the code on the screen; (I used the "Barcode Scanner" android app; when it scans the QR code, it reads out a URL like "otpauth://totp/user@alias?secret=xxxxx...xxxx", at which point I clicked its "Open Browser" button; that sent it directly to the "Google Authenticator" app "Save key for" dialog, where I clicked the "OK" button to save the entry)
    • If you don't have a QR code scanner app, you can click the "Show secret key for manual configuration" link to expand the section under the QR code on the screen, and transcribe the long value directly into your virtual MFA app
  • Either way, you should see the new entry, and a 6 digit numeric value with a timer countdown (the numeric value will change every 30 seconds)
  • In the "Authentication Code 1" field enter the first number that is displayed
  • In the "Authentication Code 2" field enter the second number that is displayed after some time
  • Click the "Activate Virtual MFA" button
  • See the message "The MFA device was successfully associated."
  • Click the "Finish" button
Now that your IAM user is created, you should verify you can actually sign in as that user.  Find the account menu (under your account name at the top right):
  • Click the "Sign Out" link 
You should be on the main AWS page. Now follow the IAM sign-in bookmark you created earlier:
  • In the "Account" field verify that the account id or alias is correctly filled in
  • In the "User Name" field enter the name of the user you created
  • In the "Password" field enter the password you designated for this user
  • Click the "Sign In" button
You will be taken to the "Multi-factor Authentication" page:
  • In the "MFA Code" field, enter the numeric value for the IAM user (not the root user) from your virtual MFA device
  • Click the "Submit" button
VoilĂ !  You have signed in to the AWS Management Console as your new IAM user.  (You can see the user name in the account menu at the top right.)  With any luck, you'll never need to use the root user again.

Since we gave this IAM user the "AdministratorAccess" policy, it has the maximum access that any IAM user can have (which means, of course, that the password and MFA device should be guarded appropriately).  From this point on, there are very few activities that would actually require the root user, namely:
  • Changing the account name, root user email, or the root user password
  • Adding or removing an MFA device for the root user 
  • API access keys for the root user
  • CloudFront key pairs, X.509 certificates, and the canonical user id for S3 ACL's
  • Signing up for AWS GovCloud

Dive In!

Now that your new AWS account is secure, you can rest easy, and take your time to explore this new world!  Come back to this blog often, I'll be adding more walk-throughs as time goes on.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)