Which of the following is a best practice when securing the AWS root user?

In the previous unit, you created an AWS account and learned the differences between authentication and authorization. This unit discusses the first actions you need to take before creating any resources for your cat photo application or working with any additional AWS services.

What Is the AWS Root User?

When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS root user and is accessed by signing in with the email address and password that you used to create the account.

Understand the AWS Root User Credentials

The AWS root user has two sets of credentials associated with it. One set of credentials is the email address and password used to create the account. This allows you to access the AWS Management Console. The second set of credentials is called access keys, which allow you to make programmatic requests from the AWS Command Line Interface (AWS CLI) or AWS API.

 Access keys consist of two parts:

• An access key ID, for example, A2lAl5EXAMPLE
• A secret access key, for example, wJalrFE/KbEKxE

Similar to a username and password combination, you need both the access key ID and secret access key to authenticate your requests via the AWS CLI or AWS API. Access keys should be managed with the same security as an email address and password.

Follow Best Practices When Working with the AWS Root User

Keep in mind that the root user has complete access to all AWS services and resources in your account, as well as your billing and personal information. Due to this, securely lock away the credentials associated with the root user and do not use the root user for everyday tasks.

 To ensure the safety of the root user:

• Choose a strong password for the root user.
• Never share your root user password or access keys with anyone.
• Disable or delete the access keys associated with the root user.
• Do not use the root user for administrative tasks or everyday tasks.

When is it OK to use the AWS root user? There are some tasks where it makes sense to use the AWS root user. Check out the Resources to read about them.

Delete Your Keys to Stay Safe

If you don't already have an access key for your AWS account root user, don't create one unless you absolutely need to. If you do have an access key for your AWS account root user and want to delete the keys:

1. Go to the  My Security Credentials page in the AWS Management Console and sign in with the root user’s email address and password.
2. Open the Access keys section.
3. Under Actions, click Delete.
4. Click Yes.

Wrap Up

The AWS root user is a powerful tool, but because of its far reach, it can be dangerous if it gets in the hands of a bad actor. To prevent security exploitation of your AWS account (and eventually, your cat photo application), it is important that you lock down the root user.

Adriano explains how to horizontally scale Laravel on AWS and recommends ways to optimize web applications built with the Laravel PHP framework.

AWS Glossary: Acronym & Terminology Cheat Sheet

Our knowledgeable Lead AWS Cloud Engineer explains the AWS terms you’re likely to need to explain to your leadership team. Smartly grouped by Storage, Messaging, Database Services, Networking and, well, Other Bits.

I work as a Senior Cloud Analyst on Mission’s Cloud Optimization team.  I frequently talk with customers about ensuring the integrity of the root user of their AWS accounts and unfortunately, the basics aren’t always known or understood.  There are 3 things that we focus on:  the root user email address, multi-factor authentication and API access.

Let’s start at the top.  I can’t stress enough how important it is to ensure that the root user email address is in a company owned domain name. AWS recognizes the owner of an account by the root user email address. In other words, when one of your developers first signed up for that original AWS account and used their personal GMail account, that email address has unrestricted access to the account. The good news is that it can be changed.  That said, it needs to be changed before it’s too late. If the user who owns that email address leaves your company for some reason, they can do whatever they want to that account and you’ll have virtually no recourse for it.  Recovering the root email account after the fact can be done, but it requires a sworn affidavit and can take 6 weeks or longer to complete. This process is done directly with AWS and even as a Premier Partner, Mission can’t help to speed this up.  I can assure you that when you need this, you certainly don’t want to wait that long to get access to it.

Mission strongly encourages you to to create a unique distribution group to be used for the root account email address of each account. As AWS issues service disruption notifications, retirement notices and other critical messaging, they typically only go to the root email address.  If that address belongs to an individual user, only one person is going to get that notification.  By using a distribution group, you eliminate that single point of failure and make sure that those notifications are distributed to a team.

Second on the list is to make sure that multi-factor authentication (MFA) is enabled on the root account. This is one of those things that has become commonplace in the world of technology, but adoption is much slower than it should be. Multi-factor authentication is a lot easier than people think, especially given the tools available to maintain those MFA tokens.  The most commonly used MFA device/tool that we see is Google Authenticator but that certainly has some limitations.  First of all, it’s going to restrict you to a single device being able to be used, which can be problematic in the event your mobile phone that holds that token is lost, stolen, or broken  The alternative here is to use a password management application that can also hold your MFA tokens for you.  This would allow you to share them with a select group of people in your organization and protect you in the event that someone leaves the company.

Finally, we get to the API keys on the root user account. As the root user has unrestricted access to your account, it’s possible to terminate anything inside the account, up to and including the account itself.  If the API keys for the root user were to get into the wrong hands, the resources in your account can be programmatically deleted in a very short period of time.  If you currently have API keys in use on the root user, I can’t urge you enough to determine who is using them and move that functionality over to an IAM user or IAM role with permissions restricted to only allow the tasks needed to be completed.

In summary, we strongly recommend that you do the following:

1. Make sure that you have the root email address for each AWS account in a company-owned email domain, preferably using a distribution group.
2. Setup multi-factor authentication on the root user account for each AWS account.  Use a password manager whenever available.
3. Remove any API keys from the root user and ensure that services are using IAM users or roles with minimal permissions.
   

And if you’re feeling extra adventurous, don’t forget to set the account security questions inside your AWS account so that you can have an easier time recovering the account in the event that something goes wrong!  Make sure that you’re not using the root user on a daily basis, but rather an IAM user account with the appropriate permission set applied.

Supporting Documentation:

https://aws.amazon.com/blogs/security/getting-started-follow-security-best-practices-as-you-configure-your-aws-resources/

Which of the following is a best practice for the root account user?

What is the best practice for the AWS root user account select the best answer?

What is the recommended best practice with your root user access keys?

Which of the following are best practices to secure your account using AWS Identity and Access?