Secure Root Account

To this point, you signed into your AWS environment using the root user’s email address and password. This is considered bad practice and very insecure.

Therefore, the first step for securing your AWS environment is to configure the root user with multi-factor authentication and enable yourself to access your AWS Account using AWS Single Sign-On.

MFA for the root user

The root user of an AWS Account has the broadest permissions possible. It is a huge security risk to leave this account only be secured with a single factor (a username and a password). To mitigate this risk, you need to enable multi-factor authentication for the root user. Start with logging into your AWS account.

Sign In

Using the service selection or search field, access the AWS IAM service:

IAM

The IAM dashboard of the Identity and Access Management (IAM) service shows a security alert for the root user.

IAM Dashboard

  1. Click Enable MFA to access the Security Credentials section of the IAM console
  2. Click on the blue “Activate MFA” button
  3. Select “Virtual MFA device”

IAM

IAM

  1. Use a MFA application like Google Authenticator or Authy to scan the QR code
  2. Finish the setup by entering two consecutive MFA codes
  3. Click the “Assign MFA” button

IAM

In this Lab we added multi-factor authentification to our AWS root login. This method is more secure than relying on a single email and password to log in because it adds an extra layer of security to account access. In the next lab we will learn how to enable an admin account, so that we don’t have to use our root account for daily tasks. This is another important security measure, that keeps our AWS environment safe