‹ some kind of sorcery

Creating and securing your first AWS account

Oct 16, 2021

Signing up for AWS is straightforward, and with a few extra steps you can keep your account secure from the start. This guide will show you how to create and secure your first AWS account.

Step 1.0: Create an AWS account

Follow these instructions and create an AWS account. The AWS account is free, but you’ll need to add a payment method for any resources you create that are not covered under the AWS free tier. Although the free tier is generous, you’ll want to keep an eye on your billing statements just in case.

Step 2.0: Log in as the root user & secure your AWS account

Log in to the console here: https://console.aws.amazon.com/ - select “Root user” and log in with the email and password you used to create your AWS account.

After logging in, familiarize yourself with the top navigation bar:

AWS Console Overview

Step 2.1: Securing the root user account

The account you just created is the root account, which in general should be used for initial setup and recovery in case you get locked out. For day-to-day work, you’ll create and use an administrator account instead of using the root account.

First, navigate to the Identity and Access Management (IAM) section and activate Multi-Factor Authentication (MFA) for the root account. Using MFA adds an extra layer of security in case someone tries to access your account. There are many MFA apps available, and my preference is Authy since they provide both desktop and mobile apps that are easy to use.

Step 2.2: Creating a user account

In order to create resources in AWS, you’ll need to create a user account to log in with that is different from the root account you just created.

Navigate to the IAM users section and click “Add users” in the upper right corner. Enter your desired username and tick both boxes under “Access type”: programmatic access and AWS Management Console access. For the “Console Password” field, select “Custom Password” and enter the password you want to use to log in, like this:

AWS IAM Create User Overview

Click “Next: Permissions” and you’ll grant yourself administrator permissions.

Step 2.3: Creating the administrators user group

On this page, click “Create group” and do the following:

  • provide a name for the group (“administrators” in this example)
  • check the box next to “Administrator Access”
  • click “Create Group”

After creation, the group will be selected automatically, so click “Next: Tags” to continue. You don’t need to add any tags, so click “Next: Review” to finish creating the admin user.

AWS IAM Create Group Overview

AWS IAM Admin Group Overview

AWS IAM Admin Select User Group

AWS IAM Admin User Review Step

Step 2.4: Finish creating the user

AWS IAM Admin Create User Step

Step 2.5: Download the user credentials CSV

Click “Download .csv” and you’ll get a file that looks like this:

User name,Password,Access key ID,Secret access key,Console login link
phoebe,<password>,AKIA3PO...,<secret access key>,https://<account id>.signin.aws.amazon.com/console

AWS IAM Admin Add User Confirm Step

AWS IAM Admin View Created User

Step 3.0: Sign in as the admin user

In steps 1 and 2, you signed in as the root user in order to create an admin user. You should use this admin account for everything AWS-related moving forward, unless you’re doing something that requires logging in as the root user. In other words, using the root user should be a last resort because it has ultimate control over your entire account.

Using the CSV file you downloaded in Step 2.5, use the username, password, and sign-in link to log in to the AWS console as the admin user. You will be prompted to change your password as soon as you log in.

AWS Sign In

AWS Sign In - Change Password

Step 3.1: Set up Multi-Factor Authentication (MFA)

Just like you did for the root account, it’s important to set up MFA for this admin account as well. The process is similar, and the steps below show how to set up MFA.

AWS IAM Add MFA

AWS IAM Select MFA Option

Description

Description

Description

Step 3.2: Sign out and sign back in to finalize MFA setup

The final step to activate MFA for your account is to log out and log back in; until then, AWS will not let you perform any actions that require MFA.

Description

Description

Step 4.0: Adding an extra layer of security with an admin role

In this example, we created a group called administrators, and all members of the group have admin privileges. Taking this a step further, we will add an extra layer of security and instead create an administrator role that anyone in the administrators group can assume. Each time you assume a role, AWS refers to it as a “session”, and the session lasts for 1 hour by default. In other words, this setup lets you become an admin for an hour at a time. For increased security, the role will also require that you authenticated with MFA when you logged in.

Step 4.1: What is a role?

In AWS terms, a role is an identity that can be assumed to temporarily escalate privileges. In this example, we’ll use a role to temporarily assume admin privileges, which is more secure than always being an admin.

Step 4.2: Sign in as the root user again

You’ll need to sign in as the root user since we’ll be modifying the permissions created earlier, and your admin user will temporarily lose admin privileges. Refer to Step 2.0 for instructions on logging into the root account.

Step 4.3: Creating the admin role

From the IAM section of the AWS console, navigate to the Roles section and click “Create role”.

This page will prompt you to select the type of “trusted entity”, which is the person, computer, or AWS service that can assume the role. In this case, select “Another AWS Account (Belonging to you or a 3rd party)”. The wording is confusing since you’ll need to enter your own account id here. Select the “Require MFA” checkbox so that any user who assumes this role has to authenticate with MFA. Click “Next: Permissions” to continue.

AWS IAM Role Trusted Entity

This next part may look familiar, since it’s the same process as Step 2.3. On the next page, select the AdministratorAccess policy. Click “Next: Tags”, and skip through the next screen by clicking “Next: Review”.

AWS IAM Role Trusted Entity Part 2

Finally, provide a name for the role, such as admin-mfa and an optional description if you’d like. Click “Create Role” and you’ll be ready to move on to the next step.

AWS IAM Role Creation Final Step

Step 4.4: Update the administrators group to refine permissions

This part involves three steps:

  • create a policy that allows the group to assume the admin-mfa role
  • attach this policy to the administrators group
  • remove the “always on” admin permissions for the administrators group

Step 4.5: Creating a policy to assume the admin-mfa role

IAM allows users to create extremely granular access permissions. This is the first step that requires a policy, which is a generic set of permissions rules. These rules can be attached to other IAM objects like groups, roles, and users. In this case, we are creating a policy that allows members of the administrators group assume the admin-mfa role. In other words, we are requiring administrators to authenticate with MFA in order to perform administrative actions.

Navigate to the IAM policies section and click “Create Policy”. Instead of the visual editor, select the “JSON” tab and enter the following snippet (using your AWS account id instead of 1234567890):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::1234567890:role/admin-mfa"
            ]
        }
    ]
}

AWS IAM Assume Role Policy

This policy does nothing until it’s attached to another entity. Once it’s attached, it allows the entity to assume the admin-mfa role, which you’ll do in the next step.

Click “Next: Tags”, then “Next: Review” and fill in the required fields. Finally, click “Create Policy” and proceed to the next step.

AWS IAM Assume Role Policy

Step 4.6: Updating the administrators group permissions

Navigate to the IAM user groups section and find the administrators group that you created. Click on the “Permissions” tab to begin modifying permissions.

AWS IAM Remove Permission from Group

Check the box next to the “Administrator Access” permission and click “Remove”. We no longer want users in this group to have admin privileges by default. Instead, we will give these users permission to assume the admin-mfa role that gives them admin privileges.

AWS IAM Remove Permission from Group

Click “Add permissions” (which opens a dropdown) and select “Attach policies”.

AWS IAM Remove Permission from Group

On the next screen, select the role you created; in this example, it’s named assume-admin-role.

AWS IAM Remove Permission from Group

Scroll down and click “Add permissions” to finish adding this policy to the group.

AWS IAM Remove Permission from Group

AWS IAM Remove Permission from Group

Step 4.7: Assuming the admin-mfa role as a non-root user

Log out of the root user account and log into the administrator account you created earlier. Navigate to the Identity and Access Management (IAM) section

You’ll see a bunch of red error messages because you no longer have permission to do anything in AWS, other than assume a role called admin-mfa. Other than that, all you can do is log in.

AWS IAM No Permissions

To switch roles, click your username in the upper right to activate the dropdown.

AWS IAM User Dropdown

Click “Switch Role”.

AWS IAM User Dropdown

Enter your account id and the role admin-mfa, then click “Switch Role”.

AWS IAM User Dropdown

You’ll be redirected to the IAM console, and you’ll no longer see errors and red text boxes. Notice in the upper right that it now says admin-mfa @ <account id> rather than your username, which means that you’ve assumed the admin-mfa role.

AWS IAM User Dropdown

Summary

In this guide, you learned how to:

  • Create an AWS account with a root user
  • Secure the root user with multi-factor authentication
  • Create a user group with administrator permissions
  • Create a non-root user, secured with MFA
  • Create an admin role for users to assume, rather than always having admin permissions

Next Steps

Now that you have a secure AWS account and a safe way to perform administrative tasks, the next step will be deploying infrastructure in the cloud. You can create resources in AWS through the console, but it’s slow and error-prone. As an alternative, you can use the AWS Command Line Interface (CLI) to interact with AWS from the command line instead of the website. Taking that one step further, you can use Terraform to manage your infrastructure as code and deploy it in a safe, reliable, and maintainable way.

🏷