Free AWS Bootcamp: Week 0 - Part 2

Welcome Back!
This is part 2 of the Week 0 AWS Free AWS bootcamp blogpost, To review Part 1 please click the link here.

Our main targets/goals for this part of the Week are:

1. Securing our root user account and creating an organisation and IAM users.
2. Creating a budget and billing alarms.

So let's begin:

---

Securing our root user account

Before we learn about IAM users, lets first define what a root user account is.

What is a root user?

• When we create our very first Amazon Web Services(AWS) account, we have a single sign-in that has complete access to all AWS services and resources. This is the AWS root user account.
• After creating our IAM user, and to ensure the security of our account, we will deactivate the access keys for the root user.(describe this process)

Step 1 - MFA
We can start by adding MFA to our root user account.
We will choose IAM from the AWS console. Since we are still logged in as the root user, the console will give us a warning regarding setting MFA for the user.

• Select the MFA device, for purposes of this lab, I will be using the Google Authenticator App.

• Then we will follow the prompt, to open the QR code then scan from my authenticator app from my phone/type in the access key provided on the AWS console.

• Success!

Step 2 - Organizations
We will be creating our organization and adding in 2 member accounts, where we will create one of the member accounts and invite the other account to join the organization. We will also set allow list that permits only the services we have explicitly listed. Any new services added by AWS will not be allowed/added until the administrator specifically allows it.

What is an Organization

An Organization is a free account management service that enables us to consolidate and centrally manage multiple AWS accounts. Enables us to apply security across the accounts using Service Control Policies(SCPs) and have consolidated billing.

• In the AWS console, type then choose AWS Organizations.

• Choose AWS organizations and then Create an Organization. (This creates an organization that has all features enabled, by default.). We now have an organization with our root account as its only member. This will now be the management account.

• We can now create an account and add it to our Organization (there is also an option where we add existing accounts) accounts to join our organization. This is now referred to as a member account.

• We will now create an Organizational unit, which we will populate by placing our member account.

• On the Organizations console, choose the check box next to the Root container and click into it. This will open the options in which you can then choose the Children tab, then choose Actions and then under Organizational units, choose Create new.

• Next, we want to move our member account into our OU, we do this by choosing the check box next to the member account and clicking on the name, in the next console, clock on move, then we will see the newly created OU, we will choose the radio button next to it then choose, move AWS account.

Step 3 - First time Member sign in

• To perform actions in the member account that we created above, we need to access it/log in to the member account. However since its a newly created accounted, its credentials are make it a form of root account(but its still a member account in the organization).

• We will go back to the login page and enter the member email address(in the root account section) and in the next section, choose Forgot password?

• A link will be set to the email address that you provided above and we will be able to reset our password and the Success, we can now log in to our member account!

Step 4 - Roles
To perform tasks in the member account, I then decided to create a role.

• We will log in as the root management account user, we will choose IAM from the AWS console, then on the left hand navigation bar, we will choose Policies.

• We will then choose Create policy , then choose Choose a service, then type STS into the searchbox and then choose the STS option. In the Actions section, type assume in the search box the list, and then choose the AssumeRole option. In the Resources section, choose Specific, choose Add ARN to restrict access, and then put in the member account number and the name of the role that you created in the previous section (AWS recommended naming it OrganizationAccountAccessRole).

• We can also enable MFA for the account by expanding the Request conditions section.

• Choose review policy then enter a name for the policy then choose Create policy.

• We will now attach the policy to a group.

Step 5 - Enabling IAM Identity Center

To enable IAM Identity Center, the account must be managed by AWS Organizations. IAM Identity Center makes it easy to connect an existing directory or use the built-in Identity Center directory to manage and/or create user and groups, and manage their access to AWS accounts and cloud applications.

• We will now sign in as the root management account user, since we have already created an AWS Organization. In the console, search for IAM Identity Center. Under Enable IAM Identity Center, choose Enable.

• We will now choose our identity source, this is where our users and groups will be managed. Since we are just staring out, Identity Center directory has been automatically configured as our default identity source. (We can also import from Active Directory )

• In the Identity Center Console, we will choose Add Users to create a user. We can specify the user details so that we receive an email with the password setup instructions. follow the prompts.

• We will now enable our user to have administrative access to the root management account.

• In the Identity Center Console, we will choose under Multi-account permissions, choose Permission sets. Choose Create permission set. For Step 1: Select permission set type, on the Select permission set type page, keep the default settings and choose Next. The default settings grant full access to AWS services and resources using the AdministratorAccess predefined permission set.

• For Step 2: Specify permission set details, on the Specify permission set details page, keep the default settings and choose Next. The default setting limits your session to one hour.

• For Step 3: Review and create, on the Review and create page, do the following: Review the permission set type and confirm that it is AdministratorAccess. Review the AWS managed policy and confirm that it is AdministratorAccess. Choose Create.

• In the Identity Center Console, under*Multi-account permissions, choose **AWS accounts. Here, we will see a tree view list of our organization. We will select the check box next to the management account. Choose **Assign users or groups.*

• Step 1: Select users and groups, on the Assign users and groups to "AWS-account-name" page, then: On the Users tab, select the user to whom you want to grant administrative permissions.
  To filter the results, start typing the name of the user that you want in the search box.
  After you confirm that the correct user is selected, choose Next.

• For Step 2: Select permission sets, on the Assign permission sets to "AWS-account-name" page, under Permission sets, select the AdministratorAccess permission set. Choose Next.

• For Step 3: Review and Submit, on the Review and submit assignments to "AWS-account-name" page, do the following. Review the selected user and permission set. After you confirm that the correct user is assigned to the AdministratorAccess permission set, choose Submit.

• On the Dashboard page, under Settings summary, copy the AWS access portal URL. Open a separate browser, paste in the AWS access portal URL that you copied, and press Enter. An AWS account icon will appear in the portal.

---

Creating a budget and billing alarms

For the purposes of security and to adopt AWS Best practices for our account, to allow access to our billing information without using the root credentials we will need to enable IAM access. This allows other users (non-root) to access billing information in the management account. This approach provides individual sign-in information for each user, and you can grant each user only the permissions they need to work with your account.

To stay within the free tier, make sure you only have 2 budgets per account.

---

Tips and tricks

• For the purposes of this lab, I am using a trick that I learnt where I create new email addresses using examplelab+1@gmail.com so that I can receive all emails in the same folder for easier management.

Security of the root account

• Make a secure backup of the QR code or secret configuration key, or make sure that you enable multiple virtual MFA devices for your account. A virtual MFA device might become unavailable, for example, if you lose the smartphone where the virtual MFA device is hosted). If that happens, you will not be able to sign in to your account and you will have to contact customer service to remove MFA protection for the account.
• AWS recommends that we do not create access keys for the root user account as it provides full access to all your account's resources including the billing information.
• AWS also recommends that we do not use the root account for day to day activities. To see the full list of task that WOULD REQUIRE AN IAM USER refer to this link.

---

Resources

1. AWS Well Architected Labs

2. AWS Organizations Documentation

3. IAM Identity Center

4. Read more on AWS Control Tower

5. AWS Organizations & AWS IAM Tutorial For Beginners by Cloud Security Podcast