How to avoid using root user on AWS console by defining IAM users, policies, groups and roles.
There are three principals that can authenticate and interact with AWS resources. They are the 1.) root AWS user, 2.) IAM users, and 3.) roles.
When you first create an AWS account – you create a root AWS user. This user has the ability to login into the AWS console from the get-go but eventually – see notes below – you should stop using this account and define IAM users to interact with AWS thru. I at least quickly setup two factor authentication on my root account (that is another post).
I do sometimes use the root user. I have added MFA two factor authentication to all my accounts. I use the Authy Android app on my cell – which seems to work well.
Setting Up Your First IAM User – You
As mentioned, if you are sharing AWS resources among a team – AWS strongly suggests setting up IAM users, groups, policies and roles to control and secure your environment.
Create an IAM user with a username / password by going to IAM, click Users in the left column, then click the Add User button (right side main). You can setup an initial or longer term password, and grant access at this point. I added a group in the process named AdminGroup and allowed this group the permission AdministratorAccess. My IAM user was also assigned to this group – all during the act of creating an IAM user.
To be clear, the group was created for future re-use no other purpose, I probably could have directly assigned the AdministratorAccess directly to the IAM user. If I create another IAM user that I want to allow AdministratorAccess or I want to customize the group – that affects all IAM users assigned to the group.
Authentication Versus Authorization
AWS authentication is the process of verifying you have access to AWS – in this case the context is as an AWS IAM user.
AWS authorization is the definition of policies and the granting the policies to IAM Users (directly or indirectly via roles) for the specific purpose of defining and controlling who can use AWS specific resources (e.g. a specific AWS EC2 instance you created in a Region/Zone).
AWS IAM Authentication
There are three ways that IAM authenticates a principal:
User Name/ Password– When a principal represents a person interacting with the console, the person will provide a user name/ password pair to verify their identity. IAM allows you to create a password policy enforcing password complexity and expiration.
Access Key– An access key is a combination of an access key ID (20 characters) and an access secret key (40 characters). When a program is manipulating the AWS infrastructure via the API, it will use these values to sign the underlying REST calls to the services. The AWS SDKs and tools handle all the intricacies of signing the REST calls, so using an access key will almost always be a matter of providing the values to the SDK or tool.
Access Key/ Session Token– When a process operates under an assumed role, the temporary security token provides an access key for authentication. In addition to the access key (remember that it consists of two parts), the token also includes a session token. Calls to AWS must include both the two-part access key and the session token to authenticate.
Note: When an IAM user is created, that user does not have an access key or a password, the IAM administrator can set up both up after creating the user.
To be continued…