Saturday, June 17, 2017

Amazon AWS - first steps after creating an account

After creating an account in Amazon AWS, there are a couple of steps to be done before you start provisioning resources. This is all fairly well described in the AWS documentation, so the below info is just to summarize the steps:

What you want to do is to first add some additional security to the root user and then to create an IAM user with admin rights that will be used going forward. Root user should not be used.


  1. Log into https://console.aws.amazon.com 
  2. Go to Services -> IAM
  3. Under Security Status it will state that you have already deleted your root access keys. That is because you haven't created any (this is not the same as your account password, access keys are used to e.g. sign programmatic requests using SDK or REST).
  4. Before enabling multi-factor authentication (MFA), you need a software MFA app. Google Authenticator is a free app for both iPhone and Android. Download this app to your phone.
  5. To enable MFA under IAM, go to: Security Status -> Activate MFA on your root account ->  Manage MFA. This will open a simple wizard. Choose software MFA. A bar code will be presented that should be scanned from the phone. Open Google Authenticator, click the '+' sign and choose 'Scan barcode'. This will add an entry in the app. Type in two consecutive keys in the wizard and that's it. Next time you log in to the account, it will prompt for the six digit key after entering the password.
  6. To create a new user and group for daily use, go to Services -> IAM -> Users -> Add user. This will open a wizard. If you haven't done so already, you'll be prompted to create a group also to place the user in. This group should have full administrative access. Choose the first option in the list, 'AdministratorAccess', this will grant full access
  7. Once the user is created, a direct link to the AWS console will be created that will look somethng like: https://1562xxxxxxxx.signin.aws.amazon.com/console
  8. To create access keys for the user, go to IAM -> Users -> choose the user -> Security credentials tab -> click Create Access Key. This will let you do a one time download of the Access Key ID and the Secret Access Key
  9. On the same Security credentials tab, MFA can be enabled for this user by clicking the pencil next to 'Assigned MFA device'. The wizard will be the same as for the root user. When scanning the bar code, a second entry will show up in Google Authenticator, see screen dump below (so one for root account and one for the user)
  10. As a last step you can apply a password policy to your IAM users to make all the check boxes green, see screen dump below.
  11. Done. Now you can log out from your root account and only use the admin user going forward (which should be used for creating further users and groups to do the actual work)