Securing Your Root Account

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

27 minutes
Video Transcription
a little everybody. And welcome to this lecture and this lecture we're gonna be getting started with identity access management. That is theeighty of US service. I am
so as you can see, I am at the management console right now. Go ahead and long in if you are not locked in already,
and ah, approach up here on the service's menu and we're going to go to security, identity and compliance. And right beneath it on the first
one is I am was going to open that up.
So basically I am is gonna control access to your route and the users that are accessing your eight of us account. Here is a list of things to do under the security status agendas list. Whenever you open up a NATO B s account for the first time, you should see this.
It should have one out of five complete
and basically what you're going to need to dio if you want. You were account to be secure, which I advise you dio is Go ahead and follow these step by step. So
let's begin by activating our multi factor authentication
on the brute account. So whatever you used to log into your account is probably your route accounts Unless you were configured a user account by organization or something like that.
Um so should it be any issue, we're gonna go ahead and click, Manage M f A.
So here we are. And it says here you are accessing security credentials Page for a TV For your eight of this account, the account credentials provides element access to your AWS. Resource is, and then you can learn more by reading. Here,
let's go ahead and continue to security credentials,
and we want to open up multi factor authentication, and we're gonna press activate M f A.
So whenever you are sitting up in my faith, there's three different ways you can go about it. You can use thievery actual M f A A, which is like a mobile application on your phone. You can use a ah you two f security key such as you be key or any compliant you two f device.
And then you can also use a hardware M f A device such as like a token,
something like that. But for this, we're just gonna go ahead and use the virtual M f A what I would like you to do whether you have an iPhone or an android phone to open up the APP store and download an application called Google Authenticator.
When you have that ready,
let's go ahead and continue.
So this is gonna walk you through the process of setting up your Google authenticator to your ah m f A for your account. Basically, we're gonna press show the Q R code now. No worries. I'm gonna actually delete this so that you guys can't reuse it, so don't even try.
But, ah, what we're gonna do is you're gonna hold up your phone. You're gonna scan this
Q R code within the authenticator application and then is going to give you a series of codes. You're gonna have one code which you're gonna copy and enter into here, and then you'll have another code after you've waited a little bit and you're gonna enter that in there
When all done, go ahead and press a sign M f a O K. Now you should be all sets. And as we move back to the I am dashboard, you should see a second check mark under the activate M f a on your route accounts.
Ah, that means that you were successful. If you need to go back and manager, you can drop this menu down and select manage M f A. Moving forward. The next thing on our agenda here is to create an individual. I am user. The reason why we go about doing this is because using the route accounts
really isn't the smartest thing. If you were that maybe misplace or leaf access open on your workstation and somebody gave access to the root account of your eight of us accounts, well, that basically leaves every single door and window open to the house, and they can do whatever they want.
And that's not good. That deals with security.
And that's what we want to be concerned about when we're dealing with, I am. So we're gonna create a managed to user,
and, ah, that user may or may not have restricted access. In this case, it probably won't. So I also want to secure that user, but I will be able to at least walk you through the process so that you can see how to apply policies and restrict the users.
Thio on Lee the minimum activity that they need access
or they need to be doing with an eight of us. Let's go ahead and select manage users.
And you shouldn't have anything listed here if this is a new account. So we're gonna go ahead and press ad and you the user.
I'm gonna add my name right here,
and I'm going to give myself programmatic access and access to the obvious management console.
So basically, what this means is programmatic access means that you can access your a devious account using your terminal or your power shell window.
Ah, it'll basically assign you a key idea and secret access key, which is what you're gonna be using to connect
through the terminal now for the cloud practitioner exam. This isn't in the scope of that exam. It's a bit beyond, so we're not gonna be touching on it. But if you were playing and going after an associate level certification, it is a good idea that you get familiar with how to use the programmatic
access keys within your
It'll be ust ally moving onward. The second option for accessing your AWS account would be the tibia Spanish Mint consul. That's Actually, what we're looking at right here is basically just our web gooey. Their web interface that you're able to log in and manage the service is for the
cloud practitioner exam. That's all we're gonna be using
the third option as through the eight of us sdk, which is not within the scope of this certification exam for council password. I'm going to leave it auto generated. And then I'm gonna require the new user to create a new password the next time that they log in. Let's go ahead and create a group for a new user.
And here is where you can actually select a job function
or a preexisting
ah group that already came baked in within your eight of us account when he first signed up for it. And basically, if you review here, it kind of goes based on, you know, different service is that are available within an obvious consul such as Athena or chime,
maybe smart popular ones to be dynamodb easy to, and it can give you, you know, some restricted access, like read on Lee or Power User, which isn't quite full access, but still fairly accessible.
And if you want to read a little bit more about the description of the role. You just look over here under the description, you can find out more information. So
on their power, user basically provides full access to the Amazon easy to container registry repositories but does not allow repositories, deletion or policy changes. So for this account, we're actually going to assign administrator access because I do not want to be restricted
and on their group name, I'm going to type in,
add men's will, go ahead and select, create groups
and then we're gonna move on to tags.
Now, other tags. You can type in
things like name and then for the value you can add a value.
This isn't necessary,
But it does help with organizing your users and your groups
as you grow your organization and transition more people onto the platform. So keep in mind, this is a great way to keep up with the organization.
But for this scope, I'm actually not going to add attack so we just go ahead and press review and here is gonna give you the summary of everything that I've done. It tells you that group it tells you the managed policy says there's no tags and we're gonna go ahead and create the user.
And there you go. It gives you access key I d. The secret access key, the password and email long and instructions allowing you to send an email directly to the user who you just create this account for. One thing to note is that the access key I. D and Secret access key should be saved.
This isn't something that you're going to get again. However, if you do happen to lose access to your secret access key,
maybe you forgot it or Italy to the file. All you have to do is, uh, generate a new one, and then you should be able to access under the same users. So if you do lose access, you're not totally lost. All you have to do is generate a new access key for the existing user. Um, if you would like, you can actually download a C S V
for that file. I go there is press download and it downloads the file for you.
And all this information will be within that credential file.
So another we're done here. Go ahead and press close
and we're gonna head back to the dashboard. So as you can see, we've actually knocked out two of the
other check marks on our list. And the only thing we have to do is apply it. I am password policy. So let's see what is involved with that. It says here
user password policy to require your I am users to create strong passwords. Answer. Rotate their passwords regularly. Do you want to learn more? You compress here.
Well, go ahead and press manage password policy.
And within here you can actually add the different, uh,
requirements that you want to add for each user when that creates a new password for their account. So
when we could say we want the
credentials to be 12 characters and length,
we want one upper case. At least one lower case, one number one alpha numeric.
And we can't add password expression. You can answer the amount of days there. I'm not gonna do that for this account, and you can also prevent reuse and the number of passwords to remember. You could say five
or whatever, and then it'll basically remember the last five passwords that that user created preventing them from reusing that password again. But once again, not gonna do that.
Um, we'll go ahead and
apply the password policy that they give us more information. They also tell you where this is active at. By the way, while we're reviewing regions, I wanted to take a moment and note that the I am service is actually global. If you see appear on the right hand corner,
if I were to drop this down, all this is great out.
That is because I am doesn't require a specific region. It's something that you can access from any region. One thing to note when you're using it to be a service is is that some regions do not offer certain service is like others. D'oh! Uh, usually the ones in the UK, the ones in in the United States.
They're not restricted. So you're gonna have access to the majority of all the service is that lets you know as you move over in tow, the
Asia Pacific region or South America region. You may run into some restrictions where some of the service's are not available, especially the newer ones that are within development.
So just keep that in mind. But as far as the scope of the Cloud Practitioner exam, the I am service is global. That is one of the few that is global. And, ah, you cannot select a region because it has already selected a school. So I just wanted to make sure I threw that out there.
Well, go ahead and apply the password, Policy says, successfully updated the password policy,
and we'll go back to the dashboard. And as you could see, we have hit our five check marks and we are done for I am. One thing I also want to add is that if you are creating more users, you can actually have them log in to your console your your corporate consul, specifically,
by using this link. Now you can actually customize it at by renaming it. So that is easier to remember. I have to do is press customized
and it here. What I'll do is I'll say, Cy Berry
see CP So certified cloud practitioner
So yes creates.
And now, as you can see, this is the New York. Well, if I were to copy this, I can just
copy and paste
and Well, uh,
now you have the account idea Alias. You can just enter in your I am user name and I am password and you'll be in the console and no time. I hope this was very helpful. I will see you guys in the next lecture.
Up Next
Identity Access Management in AWS

In this course, students will learn identity and access management- namely the feature details of AWS IAM- and gain an understanding of IAM relationships with other AWS services.

Instructed By