Setting Up and Securing an AWS Account

This blog post walks through setting up an AWS account for the first time. The following is a checklist for setting up a new account;

  1. Account Sign Up
  2. Root Account MFA
  3. $1 Billing Alert
  4. IAM Password Policy
  5. IAM Administrators Group Creation
  6. IAM Admin User Creation
  7. IAM Admin User MFA

The goal is to have a secure account with no nasty billing surprises outside of the free tier, so that you can use AWS with some peace of mind.

So lets get cracking on that list;

Account Sign Up

Capture1

First we're gonna need an AWS account, if you've already set this up then skip this section.

  1. Head over to https://aws.amazon.com/
  2. Click the 'Sign In to the Console' button in the top right hand corner
  3. Enter your email address and tick 'I am a new user', then click 'sign in using our secure server'
  4. The next step is to enter some basic login details. Enter your name, confirm your email address and ensure you create a complex password. This account will full access so it needs to be secure.
  5. We now need to setup some contact info. Tick that this is a Personal Account and enter the required details. Ensure the phone number is correct as this is what AWS support will use to contact you if there are issues with your account, such as with your MFA access.
  6. You now need to enter some payment details. As you can start using resources outside of the free tier from the outset, AWS need a way to bill you so these payment details are mandatory.
  7. We now need to verify the account via phone. An automated system will call you to complete this step, which is pretty cool! In the UK I had to remove the first '0' from my mobile number for this to work.
  8. Almost there. The final step is to select a support plan. As this is a personal account and we want to limit cost, select 'Basic' which is free. The Basic plan only includes support account related issues (billing, logon etc), no Technical Support is included. For more info on the different types of support AWS offer, go here.
  9. Now sit back and wait for AWS to verify your account. You can click on the Launch Management Console button to jump straight in, but be aware that you may get errors launching resources until your account is verified.

Root Account MFA

First, with the account setup, lets setup multi factor authentication for the root account.

  1. Before we set things up in AWS, install an MFA application on your phone. Google Authenticator will do the trick and is available for Android, IOS and Blackberry.
  2. In the AWS console, click on your name in the top right hand corner and then click on 'My Security Credentials'
  3. If prompted about getting started with IAM users, just click the 'Continue to Security Credentials' link.
  4. Leave Virtual MFA device selected and click Next Step
  5. Click Next at the next step as we installed the MFA app in step 1.
  6. Follow the instructions to configure the MFA app on your phone with your AWS account. This involves scanning a QR code from the MFA app and entering in codes that are generated
  7. Once setup you should get a prompted saying the MFA device was successfully associated.
  8. That's it. You now need your password and the MFA app to log in to your account. meaning it should be much less susceptible to being compromised

$1 Billing Alert

Before we continue with further securing the account, lets quickly setup a billing alert.

  1. In your account, click on your name in the top right hand corner and then click on 'My billing Dashboard
  2. From the left hand menu, click Preferences
  3. Tick the 'Receive Billing Alerts' option and click Save preferences
  4. Click the Services drop down in the top left hand corner and click on CloudWatch, under Management Tools.
  5. In the left hand pane click Billing
  6. click Create Alarm.
  7. Set the amount to alarm on in dollars. For example, if you want to ensure you don't exceed whats available in the free tier, add $1 here. Enter you email address for where alerts should be sent and click Create Alarm.
  8. You'll receive an email with a link to confirm the address. Once you've done that the alarm is in place.

IAM Password Policy, IAM Administrators Group Creation & IAM Admin User Creation

AWS strongly advise avoiding using the root account whenever possible. Instead, an IAM user should be setup with administrative access. The IAM account can have its access revoked or even the account deleted if it has been compromised. This cannot be done for the root account.

  1.  In top left corner of the the AWS console, click Services > IAM (its under the 'Security, Identity & Compliance' section)
  2. Click Account settings
  3. Set up a strong password policy. Ideally this should be a long password (16+ characters etc) Customise the policy to your preference and ensure 'Allow users to change their own password' is ticked. Once you are happy with the settings, click Apply password policy
  4. In the left hand panel, click Groups.
  5. Click 'Create New Group'
  6. Call the group 'Administrators' and click Next Step.
  7. tick the 'AdministratorAccess' policy and click Next Step
  8. Review the name and that the policy attached is AdministratorAccess and then click Create Group
  9. In the left hand pane, click Users
  10. Click Add user
  11. Enter a username. This will be the account you use to interact with AWS so make the username easy to remember and use. I went with 'chris'.
  12. Select the access type. I would advise selecting only AWS Management Console access for this account, and then setting up a user with limited permissions for programmatic access.
  13. After selecting the access type, if you selected Console access you will be prompted for the Console password. Enter a strong password or let AWS auto-generate one
  14. As you have already created a strong password and this account will be used by yourself, un- tick the 'Require password reset' option. You can use that if you add other users to your account and you want them to generate their own password which you do not have knowledge of. Click 'Next: Permissions'
  15. Select the Administrators group we created earlier in this process and click 'Next: Review'
  16. Review the settings and then click 'Create user'
  17. If you auto generated the password, ensure you take a copy of it on the next screen or download the CSV provided which includes the password. You cannot get the password after clicking close
  18. Once you have a copy of the password, click Close.

With all of that done, you should have all green ticks on the dashboard at Services > IAM > Dashboard;

Capture2

IAM Admin User MFA

This is not included in the Security Status but is just as important as activating MFA on your root account. We've just created an IAM user which has administrative access to our AWS account so we need to ensure that user is also protect by MFA.

  1.  In top left corner of the the AWS console, click Services > IAM (its under the 'Security, Identity & Compliance' section)
  2. Click on Users in the left hand pane
  3. Click on the user you created in the last section
  4. click on the Security credentials tab.
  5. Click the pen icon next to 'Assigned MFA device'
  6. Follow the same process as we did to setup MFA for the root account.
  7. One MFA is setup, click on Dashboard in the left hand pane, then copy the 'IAM users sign-in link'.
  8. Log out of the root account and open the link you copied. You should not be able to sign in as your IAM user at that link.

That's it. Keep your root credentials safe but don't use them. Instead log in as your IAM user. If you need API access, create a new IAM group and user, and grant it only the rights for what you want to access via the API.

 

Advertisements
Setting Up and Securing an AWS Account

One thought on “Setting Up and Securing an AWS Account

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s