A new AWS account will include a root user account that will be initially configured with a single sign-in identity. This account will be able to access all AWS services and resources and it must be protected. It is considered best practice to not use this account for our everyday tasks. This includes administrative tasks which should be completed via an IAM User with administrative privileges.

The root user account should be used only for creating the first IAM User and then locked away. There will be a few account and service management tasks that will require the root account but these are minimal. A sample of tasks requiring the root user are included in the following list.

• Modifying root user details
• Changing the AWS support plan
• Accessing Billing tax invoices (an IAM user with the aws-portal:ViewBilling permission can view these with some restrictions)
• Closing the AWS account
• Signing up for GovCloud
• Submitting Reverse DNS requests for EC2
• Creation of CloudFront key pairs
• Changing EC2 settings for longer resource IDs
• Configuration of S3 buckets to enable MFA Delete
• Editing or deletion of S3 bucket policies that include invalid VPC or Endpoint IDs
• Submission of requests for deletion of the port 25 email throttle on an EC2 instance
• Finding the AWS account canonical user ID in the AWS Management Console
• Restoration of IAM user permissions
• Changing account settings using the Billing and Cost Management console

We will now login to our AWS accounts and navigate to the IAM service where we will see a Security Status section that will provide a quick view of the root user security status.

1. Type “IAM” in the “Find Services” search box
2. Click on “IAM” in the search results

Review the Security Status list in the IAM Dashboard for any security warnings. If this is a new account we will see that most of the items listed have failed the security checks. This happens because many of the IAM security features will not be enabled in a new AWS account.

We will work through this list from top to bottom so our first task is to delete the root access keys.

• Click on the down arrow next to “Delete your root access keys” and then click on “Manage Security Credentials“

• You will see a pop up box. Click on “Continue to Security Credentials“

• Select the “Access Keys (Access Key ID and Secret Access Key)” row to view existing access keys.

• Click on the “Dashboard” link located in the navigation window on the left side of your screen to return to the IAM Dashboard. There should be a green checkmark next to the first item in the Security Status menu.

The next step will be to Activate MFA (Multi-factor Authentication for our root account.

• Click on “Activate MFA on your root account” and then click “Manage MFA”

• Select the “Multi-factor authentication (MFA)” row and then click the “Activate MFA” button.

• Select the type of MFA device you will be using. This will usually be “Virtual MFA device” as most users will be using a phone app like Google Authenticator which can be downloaded from your device’s app store.

• Click “Continue” and then scan the QR code shown in the browser by selecting “Show QR code“

• Enter two consecutive MFA codes from the authenticator app and then click the “Assign MFA” button.

You will see a pop up message providing that the virtual MFA has been set up correctly. Click the “Close” button.

Click on the “Dashboard” link located in the navigation window on the left side of your screen to return to the IAM Dashboard. There should be a green checkmark next to the first two items in the Security Status menu.

In this post we have deleted the root access keys and setup up MFA our root user account. We will stop for now and then finish the final three items in our next post as they each relate to IAM.

We recommend AWS: The Complete Beginner’s Guide to Mastering Amazon Web Services by Stephen Baron (https://amzn.to/2Lz5eBF) as a supplemental resource for this blog series. You do not need to purchase this book in order to “credit” our account. Any purchases that you search or make from anywhere in Amazon after clicking on the provided link, will credit this blog and support the continued growth of the library. We are truly grateful for each of our readers and appreciative of those who will help us. There is no cost to you for using our links and they provide an easy way for you to support us.