In the previous post, we created an AWS account and logged in to the console using the root account login credentials. As best practice, we are going to create an IAM user with admin privileges and use its credentials to access our AWS environment henceforth. The root user has complete control of your AWS account, and should not be used for every day access.
Before we create the admin user, we are going to perform some light housekeeping to further secure our AWS account. We will enable multi-factor authentication for the root account.
Enabling Multi-Factor Authentication on your AWS Root Account
- Log in to your AWS account using the root credentials and click on My Security Credentials from the drop down menu under your account name in the menu bar.
- Select Multi-factor authentication (MFA) and click on Activate MFA. Select virtual MFA device.
If you do not already have the Authenticator app installed on your phone, go ahead and install from your device's app store.
Open the authenticator app on your device, click on the plus sign and select Scan a QR code. In the AWS console, click on show QR code, and scan the code with your mobile device. You should now see something similar to below on your phone.
Enter two consecutive MFA codes into the provided spaces and click on Assign MFA.
The MFA codes that you enter must be generated one after the other. If not, you will get an error and must reenter new codes.
Now, every time you want to log into your AWS account as root user, you must provide an MFA code from the Authenticator app on your phone in addition to your password.
Creating an Admin IAM User
IAM is an acronym for Identity and Access Management. It is the AWS service for managing users and their access to your cloud environment. We will explore IAM in more detail later. Follow the steps below to create an IAM user with administrative access.
From the menu bar, click on Services and select IAM
Click on Users under Access Management and click the Add user button
Enter your desired name for the user e.g Admin
For access type, check Programmatic Access and AWS Management Console Access
Check custom password and specify your desired password
Uncheck Require Password Reset since you are the one that will be using the new account. If you are creating an account for another user, leave it checked and they will be prompted to create a new password when they try to log in for the first time. Click next
Click on Attach existing policies directly and select AdministratorAccess from the list of policies. Click next, click review
Click Create user
Click on Download .csv and store the file in a secure place. You will not be able to download it again later
Click on send email to send yourself a copy of the login instructions or optionally, bookmark the console url that you see on your screen. You will need this url to log in later. Click close
Log out of the root account and log in as the admin IAM user. Remember to enable MFA for this user as well
Setting a Custom Password Policy for IAM Users - Optional
You can define your own custom password requirements instead of using the default one by AWS. All IAM users in your account must follow this policy when setting their password. To create a custom password policy:
Click on Services in the menu bar, select IAM
Under Account Management, click on Account Settings
Click on the Change Password Policy button
Check your desired options from the list and click on save changes
That's it for this post. In the next post, we are going to explore AWS VPC.