AWS Identity and Access Management
We’ll start with IAM, whose management dashboard connects you to all the administration tools you’ll need to manage the basics of account security. the Security Status section of that page provides a friendly reminder that there might be some issues requiring your attention. Those suggestions include protecting your account by locking down the root user (the user identity that was generated when you first created your AWS account) and replacing the effective functionality of root by setting up IAM users and groups for your day-to-day administration tasks.
Protecting the Root User
For practical reasons, the root user has the permissions necessary to perform any task on your account. That includes launching any resources in any region and authorizing any expenses. The problem is that actively using the root user over the long term with only minimal protections presents a significant security risk. Should the root credentials ever be compromised through an attack, there will be no limit to the potential for mischief. All your data could be stolen or deleted or the attacker could run up hundreds of thousands of dollars of charges running a rogue crypto mining operation.
The recommended best practice is, therefore, to protect the root user by creating a complex password and implementing multifactor authentication and, for most administration activities, use IAM users instead. That will be covered next.
Authentication
Whether you’re logging in to work with your AWS account via the AWS Management Console, running a command from the terminal of your personal laptop, or connecting a remote application to AWS resources at the programming code level, you’ll need to prove you are who you claim to be and that “who you claim to be” has a right to the access you’re after. Often that will mean providing some kind of user ID and password. In the case of programmatic or command-line access, you’ll need a set of access keys. Opening a remotelogin session to a Linux instance on Elastic Compute Cloud (EC2) will require a valid key pair. Let’s look at those one at a time.
Passwords
While you’re still learning your way around AWS, you’ll probably do most of your workfrom the browser’s AWS Management Console. As you’ll learn “Working with Your AWS Resources,” using the command line (specifically, AWS CLI) can be a far more efficient way to get things done, but the AWS Management Console works too.
As mentioned, the fi rst step in protecting your root user is to give it a high-quality password. But that doesn’t mean you should let other users off the hook. You’ll soon see how to create such users. But before that happens, you should have an appropriate password policy already in place. You can configure a policy from the Account Settings section of the IAM Dashboard that will require the passwords used by all users on the account to conform with minimum complexity.
Multi-factor authentication (MFA) adds a second layer of security to your logins. Once it’s enabled, a user will need to provide not only a password to authenticate (“somethingyou know”) but also, as a second factor, a temporary digital token sent through a present device (“something you have”), like a smartphone running an Authenticator app.
Access Keys
As we mentioned, programmatic and command-line access to many AWS resources is authenticated by access keys (without the option of MFA). You can generate a new set of keys while logged into the AWS Management Console from the Security Credentials page—which is accessed from the account drop-down menu at the top right of the AWS Management Console page. Choosing the Create New Access Key button will get you there. You’ll then have the option of downloading the key to your computer as a text file or showing the actual Access Key ID and Secret Access Key values in the dialog where you can copy and paste them somewhere safe. Just make sure you choose one of those options, because you’ll never be shown the secret access key itself again. You should also remember that it’s never a good idea to expose the Secret Access Key in plain text
Learn more about AWS IAM Roles Here