Secure AWS Account

So you have a shiny, new AWS account? There are a few simple things you can do to make it more secure.

  • Don’t use the root account

  • Setup MFA on the root account

  • Remove root account access keys

  • Create a non-root admin user account

Don’t use the root account

The first and most important thing to do is to NEVER use the root account for your AWS account. The root account is all-powerful and should be secured with some extra steps.

Turn on MFA for the root account

  1. Login to the root account. AWS Root Login

  2. Navigate to the "My Security Credentials" page in the account drop-down menu. Account Drop-down

  3. Open the "Multi-factor authentication(MFA)" section, and click "Activate MFA" button. MFA Section

  4. Choose the type of MFA device. (likely it’s "Virtual MFA device"). Click "Continue" MFA Type

  5. Using your TOTP compliant Two-Factor device scan the QR code or copy the secret key. Enter two codes from your Two-Factor Device. Click "Assign MFA" Enter Codes

  6. Your screen should show a success page. Click "Close". Success

  7. You now have an assigned MFA device. Finished

Remove root account AWS Access Keys

When you create a new account, a set of AWS access keys can be created for the account. You should remove the keys for the root account.

  1. Navigate to the "My Security Credentials" page in the account drop-down menu. Account Drop down

  2. Open the "Access keys (access key ID and secret access key)" section. Access Keys

    1. Click the "Delete" link to the right. Then click "Yes" on the confirmation popup. Confirm Delete

Create a non-root Admin user

Now you have secured your root account credentials, you need to create an admin level user to replace the things that the root account did.

  1. Navigate to the IAM service in the AWS console. IAM dashboard

  2. Click on the "Groups" entry in the left-hand navigation. Click "Create New Group" button. IAM Group Page

  3. Enter a group name. Click "Next Step" New Group Name

  4. Click the checkbox to attach the policy "AdministratorAccess" to your new group. Click "Next Step". New Group Policy

  5. Review the group to be created and click "Create Group". Review Group

  6. Click on the "Users" entry in the left-hand navigation. Click "Add User" button. IAM Group Page

  7. Enter a user name. Click the check boxes for "Programmatic access" and "AWS Management Console access". New User Step 1

    1. Choose a secure password, or if this account will be used by other person, select "Autogenerated password"

    2. If you selected "Autogenerated password" leave the checkbox for "User must create a new password at next sign-in" checked.

    3. Click the button "Next: Permissions"

  8. Click the checkbox for the "Admins" group. Click the button "Next: Tags". New User Step 2

  9. Optionally add some tags to the new user. Click "Next: Review". New User Step 3

  10. Review the user’s settings and click "Create User" New User Step 4

  11. Download the .csv and save the credentials on the final page. New User Step 5

You should also enable MFA for your newly create admin user.