Five Things you Must Do Immediately After Creating an AWS Account

Spread the love

The first thing users do when signing up to AWS is fill out the form, input card details, get the card details validated, and then gain access to the AWS Management console.

It is tempting to go ahead and start creating services and resources that you need to deploy your application and get on with the business you came for. But you have to slow down at this point because the account does not have the best security configurations. This exposes your shiny AWS account to multiple types of attacks that can compromise the account. Malicious users are constantly looking for loopholes across the internet to exploit and your new AWS account is no exception in this destructive spree. So it is essential to configure some basic security features in your AWS account to ensure some baseline security grounds are covered before creating any type of resource or services in your AWS account.

The following are five configurations that must be enabled before creating any services in a new AWS account:

Enable Root MFA

Create IAM Users

Do not log in with root for daily management

Enable CloudTrail

Enable MFA for IAM Users

1. Enable Root MFA

When an AWS is created for the first time, the login credentials for that account are usually an email and a password. This first user account is called the “root user”. This user has the highest privileges in the AWS account; which means the user has access to all 200+ services in the AWS account. Due to this administrator-level access, the password used for this account must be strong. Generate passwords using tools like LastPass Password Generator, or any other password generator to create a string of alphanumeric and symbolic passwords to improve its security.

To top the security of the root user account, the next step is to enable Multi-Factor Authentication, or MFA for short. This is created in the root account when logged in. This creates another layer of authentication apart from the password which improves the overall security of your AWS account. There are various options for creating MFA; Passkey or security, Authenticator app, Hardware TOTP token.

Now that we understand the importance of the MFA configuration, let us learn how to enable it in our AWS account

Steps to Enable Root MFA in AWS

To enable Multi-Factor Authentication (MFA) for the AWS root user account, follow these steps:

Step 1: Sign in as the Root User

Go to the AWS Management Console.

Step 2: Navigate to the Security Settings

Click on your account name (or the account alias) in the upper-right corner of the AWS Management Console.

Select Account from the dropdown menu.

In the Account Settings page, locate the Root user Multi-Factor Authentication (MFA) section.

Step 3: Enable MFA

Click on Activate MFA.

Choose the type of MFA device to enable: Virtual MFA device (e.g., Authenticator apps like Google Authenticator, Authy, or AWS MFA) or Hardware MFA device (e.g., YubiKey or similar).

Step 4: Configure the MFA Device

For a Virtual MFA Device:

Install a compatible authenticator app on your mobile device.

Scan the QR code displayed in the console using the app.

Enter the two consecutive OTPs (one-time passwords) generated by the app into the console.

For a Hardware MFA Device:

Follow the on-screen instructions to associate your hardware MFA device with your root account.

Step 5: Verify and Save

Once the OTPs are validated, AWS will confirm the successful setup of MFA.
Click Finish to enable MFA.

Step 6: Test MFA

The next time you log in as the root user, AWS will prompt you to provide both your password and the OTP from your MFA device.

Let us look at another setup that needs to be done before the newly created AWS is ready to be used to deploy and run our workloads.

2. Create IAM Users

It is important to note that it is a bad practice to use the root account for daily management of an AWS account. This exposes the account to the possibility of root access exploitation. It is advisable to create IAM users that will be used for the management of the AWS account. This means that if you need to create any service in the AWS account, for example, an EC2 Instance, S3 Bucket, EKS Cluster, or any other resource, the IAM user should be used to create this resource. The same strong password that was used for the root account should also be used here. These are the steps needed to create an IAM User in AWS.

Steps to Create an IAM User in AWS

To create an IAM (Identity and Access Management) user via the AWS Management Console, follow these steps:

Step 1: Open the IAM Console

Navigate to the IAM Console by searching for IAM in the search bar or selecting it from the services menu.

Step 2: Access the Users Section

In the IAM console dashboard, select Users from the left-hand navigation pane.

Click the Add Users button.

Step 3: Specify User Details

User Name: Enter a unique name for the user (e.g., JohnDoe). (You can create multiple users at once by entering additional names.)

Access Type: Choose the type of access the user will have (Programmatic Access: For API, CLI, or SDK access. Generates an access key ID and secret access key, AWS Management Console Access: Allows the user to log in to the AWS Console).

If selected, specify a Custom Password or enable an auto-generated password.

Step 4: Set Permissions

Choose one of the following methods to assign permissions:

Add User to a Group: Select an existing IAM group with predefined permissions.

Attach Policies Directly: Attach policies (e.g., AdministratorAccess, ReadOnlyAccess) directly to the user.

Copy Permissions from Existing User: Duplicate permissions from another IAM user.

Set Permissions Boundary (Optional): Define the maximum permissions the user can have.

Step 5: Configure Tags (Optional)

Add metadata to the user by specifying key-value pairs (e.g., Department: IT or Project: Alpha).

Step 6: Review and Create

Review the user details, including permissions and tags.

Click Create User.

Step 7: Retrieve Credentials

After creation, you’ll see a success screen with the user’s Access Key ID, Secret Access Key, and/or Console Login Details.

Important: Download the credentials or copy them securely. This is the only time AWS displays the secret access key.

Step 8: Provide User Access Details

Once the IAM user is created, an additional layer of security should be implemented, similar to what was done for the root user.

3. Enable MFA for IAM Users

In the first point, we talked about enabling MFA for the root user, the same MFA needs to be enabled for IAM users to improve the security of the IAM users. Currently, MFA is not enforceable in the AWS IAM Console, but users are to be educated about enabling MFA in their accounts.

These are the steps to create MFA on an IAM user in AWS

Steps to Enable MFA for IAM Users

To enable Multi-Factor Authentication (MFA) for an IAM user in AWS, follow these steps:

Step 1: Open the IAM Console

In the search bar, type IAM and select IAM from the results.

Step 2: Access the User Management Page

In the IAM console, click Users in the left-hand navigation pane.

Select the IAM user for whom you want to enable MFA.

Step 3: Navigate to the Security Credentials Tab

In the user details page, click the Security Credentials tab.

Scroll down to the Multi-Factor Authentication (MFA) section.

Step 4: Add MFA Device

Click Assign MFA Device.

Choose the type of MFA device you want to enable: Virtual MFA Device (e.g., Google Authenticator, Authy), Hardware MFA Device (e.g., YubiKey or a similar device).

Step 5: Configure the MFA Device

For a Virtual MFA Device:

Open a compatible authenticator app on your mobile device.

Scan the QR code displayed in the console using the app.

Enter the two consecutive codes generated by the app into the console.

For a Hardware MFA Device:

Follow the on-screen instructions to associate the device.

Enter the codes generated by your hardware device as prompted.

Step 6: Verify and Activate

After entering the correct codes, click Assign MFA to enable it for the user.

You will see a confirmation message indicating that MFA has been successfully enabled.

Step 7: Test the MFA

Ask the IAM user to log in to ensure they are prompted to provide an MFA code during authentication.

4. Do Not Log in with the root User for Daily Management

Frequent login to AWS using the root account is strongly discouraged because the root user has unrestricted access to all resources and services in the account, making it a critical security risk if compromised. Root account misuse can lead to accidental or malicious changes, including resource deletion, disabling security settings, or unauthorized billing charges. Instead, best practices dictate using IAM users or roles with the principle of least privilege, granting only the permissions necessary for specific tasks. By limiting root account usage to essential tasks like initial setup or account recovery and securing it with MFA, you significantly reduce the risk of security incidents.

The last thing to do before the account is ready to be used for workload deployment, is the auditing tool in AWS that has an overview of every API call and user activity that occurs in an AWS account.

5. Enable CloudTrail

Enabling AWS CloudTrail from the outset is crucial for security because it provides a detailed log of all API calls and actions taken in your account, offering visibility into user activity and service usage. This helps detect unauthorized access, investigate security incidents, and maintain accountability. CloudTrail also supports compliance with regulations by enabling audit trails, allows integration with monitoring tools like CloudWatch for real-time alerts, and ensures that high-privilege actions are tracked. By enabling CloudTrail, you establish a strong security baseline to safeguard your AWS resources and data.

Steps to Enable CloudTrail

To enable AWS CloudTrail from the Amazon Console UI, follow these steps:

Step 1: Open the CloudTrail Console

In the search bar, type CloudTrail and select CloudTrail from the results.

Step 2: Create a Trail

Click on Trails in the left navigation pane.

Click the Create Trail button

Step 3: Configure Trail Settings

Trail Name: Enter a descriptive name for your trail (e.g., MyAccountTrail).
Apply Trail to All Regions: Enable this option to log activities across all AWS regions (recommended for multi-region accounts).

Step 4: Choose Storage for Logs

S3 Bucket: Choose an existing S3 bucket or create a new one for storing CloudTrail logs. (If creating a new bucket, provide a name (e.g., cloudtrail-logs-accountname) and set appropriate permissions., Optionally enable S3 Object Lock for immutable logs).

Log File Encryption: Use the default encryption with an AWS-managed key or choose a custom KMS key for added security.

Step 5: Enable Event Types

Management Events: Ensure Read/Write events are enabled to log account management actions.

Choose All Management Events for comprehensive logging.

Data Events (Optional): Enable logging for specific S3 buckets or Lambda functions if detailed data access logging is needed.

Insight Events (Optional): Enable CloudTrail Insights to detect unusual activity patterns.

Step 6: Configure CloudWatch Logs (Optional)

To monitor logs in real-time, enable integration with CloudWatch Logs: (Specify an existing CloudWatch Logs group or create a new one, Assign or create an IAM role to allow CloudTrail to publish logs to CloudWatch.)

Step 7: Review and Create

Review your trail settings to ensure they meet your requirements.

Click Create Trail to finalize the setup.

Step 8: Validate Logging

Perform an activity in your account (e.g., create or delete a resource).

Check your S3 bucket or CloudTrail Console to confirm the logs are being generated.

By following these steps, you ensure CloudTrail is active and logging critical events, enhancing the security and auditability of your AWS environment.

Conclusion

These operations are important to ensure baseline security of your AWS account. Many accounts without MFA are hacked yearly, and accounts using the root user for daily operations without IAM are very susceptible to these attacks. Ensuring that every user has an MFA is very important to reduce the risk of attacks on IAM users too apart from the risk on the MFA root user.
Lastly, routine checks of these configurations to ensure compliance is a good company culture to imbibe, so that these vulnerabilities can be spotted and mitigated early.

Spread the love