When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.
It is strongly recommended that you only use the root user by exception. Instead, adhere to the best practice of using the root user only to setup identity federation using AWS Single Sign-On or an identity provider configured in IAM. To view the tasks that require root login you need to sign in as the root user, see AWS Tasks That Require Root User.
If you don’t have an existing organizational structure with AWS Organizations, AWS Control Tower is the easiest way to get started. For more information see Security Foundations and Identity and Access Management in the AWS Well-Architected security whitepaper.
Its good to get an idea of what you have configured already in your AWS account especially if you have had it for a while. You should audit your security configuration in the following situations:
As you review your account’s security configuration, follow these guidelines:
More information can be found at https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html
You can use the AWS Management Console to download a credential report as a comma-separated values (CSV) file. Please note that credential report can take 4 hours to reflect changes. To download a credential report using the AWS Management Console:
Further information about the report can be found at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
You can use IAM in the AWS Management Console to configure and enable a virtual MFA device for your root user. To manage MFA devices for the AWS account, you must be signed in to AWS using your root user credentials. You cannot manage MFA devices for the root user using other credentials.
If your MFA device is lost, stolen, or not working, you can still sign in using alternative factors of authentication. To do this, you must verify your identity using the email and phone that are registered with your account. This means that if you can’t sign in with your MFA device, you can sign in by verifying your identity using the email and phone that are registered with your account. Before you enable MFA for your root user, review your account settings and contact information to make sure that you have access to the email and phone number. To learn about signing in using alternative factors of authentication, see What If an MFA Device Is Lost or Stops Working?. To disable this feature, contact AWS Support.
Use your AWS account email address and password to sign in as the AWS account root user to the IAM console at https://console.aws.amazon.com/iam/
Do one of the following:
Option 1: Click Dashboard, and under Security Status, expand Activate MFA on your root user.
Option 2: On the right side of the navigation bar, click your account name, and click Security Credentials. If necessary, click Continue to Security Credentials. Then expand the Multi-Factor Authentication (MFA) section on the page.
Click Manage MFA or Activate MFA, depending on which option you chose in the preceding step.
In the wizard, click A virtual MFA device and then click Next Step.
Confirm that a virtual MFA app is installed on the device, and then click Next Step. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.
With the Manage MFA Device wizard still open, open the virtual MFA app on the device.
If the virtual MFA software supports multiple accounts (multiple virtual MFA devices), then click the option to create a new account (a new virtual device).
The easiest way to configure the app is to use the app to scan the QR code. If you cannot scan the code, you can type the configuration information manually.
Important
Make a secure backup of the QR code or secret configuration key, or make sure that you enable multiple virtual MFA devices for your account. A virtual MFA device might become unavailable, for example, if you lose the smartphone where the virtual MFA device is hosted). If that happens, you will not be able to sign in to your account and you will have to contact customer service to remove MFA protection for the account.
Note
The QR code and secret configuration key generated by IAM are tied to your AWS account and cannot be used with a different account. They can, however, be reused to configure a new MFA device for your account in case you lose access to the original MFA device.
The device starts generating six-digit numbers.
In the Manage MFA Device wizard, in the Authentication Code 1 box, type the six-digit number that’s currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication Code 2 box.
Important
Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.
Click Next Step, and then click Finish.
The device is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM Sign-in Page.
Configure account security challenge questions because they are used to verify that you own an AWS account.
Alternate contacts enable AWS to contact another person about issues with the account, even if you are unavailable.
You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account root user access key. The access key for your AWS account gives full access to all your resources for all AWS services, including your billing information. You cannot restrict the permissions associated with your AWS account access key.
You must be signed in as the AWS account root user in order to change the password. To learn how to reset a forgotten root user password, see Resetting Your Lost or Forgotten Passwords or Access Keys.
To change the password for the root user:
Use your AWS account email address and password to sign in to the AWS Management Console as the root user.
Note
If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM user sign-in page, click Sign-in using root account credentials near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account email address and password.
In the upper right corner of the console, click your account name or number and then click My Account.
On the right side of the page, next to the Account Settings section, click Edit.
On the Password line choose Click here to change your password.
Choose a strong password. Although you can set an account password policy for IAM users, that policy does not apply to your AWS account root user.
AWS requires that your password meet these conditions:
! @ # $ % ^ & * () <> [] {} | _ + - =
symbolsNote
AWS is rolling out improvements to the sign-in process. One of those improvements is to enforce a more secure password policy for your account. If your account has been upgraded, you are required to meet the password policy above. If your account has not yet been upgraded, then AWS does not enforce this policy, but highly recommends that you follow its guidelines for a more secure password.
To protect your password, it’s important to follow these best practices:
You can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. The IAM password policy does not apply to the AWS root account password.
To create or change a password policy: