Nick May 25, 2021 462 views
When you first create an Amazon Web Services (AWS) account, you start with a single sign-in identity that has full access to all Amazon Web Services and tools in the account. This identity is known as the AWS account root user, and it can be reached by logging in using the email address and password that you used to build the account.
It is strongly recommended that you only use the root user as a last option. Instead, use the root user only to configure identity federation using AWS Single Sign-On or an identity provider configured in IAM. You must sign in as the root user to see the tasks that require root login; see AWS Tasks That Require Root User for more details.
NOTE: If you don’t even have an AWS Organizations corporate structure, AWS Control Tower is the simplest way to get started. For more detail, see Security Foundations and Identity and Access Management in the AWS Well-Architected security whitepaper.
It is helpful to make sense of what you have already installed in your Amazon Web Services account, particularly if you have had it for some time. In the following options, you can audit the security configuration:
Follow these instructions while updating the account’s security settings:
Be thorough. Investigate all facets of your security setup, even those you do not use on a daily basis.
Don’t make assumptions. If you are unsure about a specific feature of your security setup (for example, the logic behind a particular policy or the nature of a role), investigate the business need until you are satisfied.
Keep it easy. Using IAM classes, consistent naming schemes, and simple rules to make auditing (and management) simpler.
More details is available at https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html.
You can save a credential report as a comma-separated values (CSV) file using the AWS Management Console. Please keep in mind that updating the credential report will take up to 4 hours. To receive a credential report from the AWS Management Console, follow these steps:
To setup and allow a virtual MFA device for your root user, use IAM in the AWS Management Console. To manage MFA devices for the AWS account, you must be signed in to AWS with your root user credentials. Other keys could be used to manage MFA devices for the root user.
If MFA device is lost, stolen, or disabled, you can still sign in with alternative factors. To do so, you must check your identification using the email and phone number account name. This ensures that if you are unable to sign in using your MFA device, you can sign in by checking your identity using the email and phone number associated with the account. Until activating MFA for your root user, check your account settings and contact info to insure that you have access to the email and phone number. Why MFA Device Is Lost or Stops Working? for more information on logging in using alternative authentication factors.
Choose one of the following options:
Create a safe copy of the QR code or secret setup key, or insure that several virtual MFA devices are activated for your account. A virtual MFA device can become unavailable (for example, if you lose the smartphone on which the virtual MFA device is hosted). If this occurs, you will be unable to sign in to your account and will need to call customer support to get MFA security removed from the account.
NOTE: IAM creates a QR code and a special setup key that are connected to your AWS account and can’t be used by another. They will, however, be used to set up a new MFA system for your account if you lose access to your new device.
This is important:
After you’ve created the codes, submit your request right away. If you create the codes but then wait too long before submitting the order, the MFA system successfully associates with the user but is out of sync. Since time-based one-time passwords (TOTP) fail after a brief period of time, this occurs. You should resync the system if this occurs.
Account security challenge questions must be configured so they are used to verify that you own an AWS account.
Alternate contacts enable AWS to contact someone else about account problems if you are unavailable.
To make programmatic requests to Amazon Web Services, you need an access key (an access key ID and a hidden access key). Do not, however, use the AWS account’s root user access key. The access key for your AWS account provides direct access to all of your resources for all AWS programs, including your billing information. You cannot restrict the permissions connected with your AWS account access key.
To update the password, you must be signed in as the AWS account root owner. See Resetting The Lost or Forgotten Passwords or Access Keys for information about how to recover a forgotten root user password.
To change the root user’s password, follow these steps:
If you previously signed in to the console using IAM user credentials, your browser will recall this choice and open your account-specific sign-in page. You cannot sign in with your AWS account root user credentials via the IAM user sign-in tab. If you see the IAM user sign-in tab, press Sign-in using root account credentials at the bottom of the page to return to the key sign-in page. From there, enter your AWS account email address and password.
AWS demands that the password satisfy the following requirements:
AWS is making changes to the sign-in procedure. All of these improvements is the introduction of a more safe password policy for your account. If your account has been updated, you must follow the password policy described above. If your account has not yet been updated, AWS does not apply this policy, but it strongly recommends that you follow its strong password guidelines.
It is important to observe the following best practices to strong passwords:
On your AWS account, you can create a password policy to define the difficulty requirements and mandatory rotation times for the passwords of your IAM users. The IAM login policy does not apply to the AWS root account password.
To create or change a password policy, follow these steps:
Follow more information, CLICK HERE