Protecting the AWS Root User
When you first access AWS, you begin with a single sign-in identity known as the root user.
AWS root user
When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS root user and is accessed by signing in with the email address and password that were used to create the account.
AWS root user credentials
The AWS root user has two sets of credentials associated with it. One set of credentials is the email address and password that were used to create the account. This allows you to access the AWS Management Console. The second set of credentials is called access keys, which allow you to make programmatic requests from the AWS Command Line Interface (AWS CLI) or AWS API.
Access keys consist of two parts:
Access key ID: for example, A2lAl5EXAMPLE
Secret access key: for example, wJalrFE/KbEKxE
Similar to a user name and password combination, you need both the access key ID and secret access key to authenticate your requests through the AWS CLI or AWS API. Access keys should be managed with the same security as an email address and password.
AWS root user best practices
The root user has complete access to all AWS services and resources in your account, including your billing and personal information. Therefore, you should securely lock away the credentials associated with the root user and not use the root user for everyday tasks. Visit the links at the end of this lesson to learn more about when to use the AWS root user.
To ensure the safety of the root user, follow these best practices:
1. Choose a strong password for the root user.
2. Enable multi-factor authentication (MFA) for the root user.
3. Never share your root user password or access keys with anyone.
4. Disable or delete the access keys associated with the root user.
5. Create an Identity and Access Management (IAM) user for administrative tasks or everyday tasks.
Multi-factor authentication
When you create an AWS account and first log in to the account, you use single-factor authentication. Single-factor authentication is the simplest and most common form of authentication. It only requires one authentication method. In this case, you use a user name and password to authenticate as the AWS root user. Other forms of single-factor authentication include a security pin or a security token.
However, sometimes a user’s password is easy to guess. For example, your coworker Rahul’s password, iplayfootball225, might be easy for someone who knows Rahul personally to guess, because it’s a combination of information that is easy to remember and includes certain facts about Rahul (Rahul like to play football, and his birthday is February 25). If a bad actor guessed or cracked Rahul’s password through social engineering, bots, or scripts, Rahul might lose control of his account. Unfortunately, this is a common scenario that users of any website often face. This is why using multi-factor authentication (MFA) is important in preventing unwanted account access.
MFA requires two or more authentication methods to verify an identity. To learn more about the three categories of information that MFA pulls from, flip each of the following flashcards by choosing them.
With a combination of this information, systems can provide a layered approach to account access. So even if the first method of authentication, like Rahul’s password, is cracked by a malicious actor, the second method of authentication, such as a fingerprint, provides another level of security. This extra layer of security can help protect your most important accounts, which is why you should activate MFA on your AWS root user.
Supported MFA devices
AWS supports a variety of MFA mechanisms, such as virtual MFA devices, hardware time-based one-time password (TOTP) tokens, and FIDO security keys. To learn more, take a look at the table below. For instructions on how to set up each method, see the Resources section.
Top comments (0)