What privilege is specific to AWS root account and cannot be granted to another IAM user
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. Show
It is strongly recommended that you only use the root user by exception. Instead, adhere to the best practice of using the root user only to setup identity federation using AWS Single Sign-On or an identity provider configured in IAM. To view the tasks that require root login you need to sign in as the root user, see AWS Tasks That Require Root User . 1.1 Generate and Review the AWS Account Credential ReportIts good to get an idea of what you have configured already in your AWS account especially if you have had it for a while. You should audit your security configuration in the following situations:
As you review your account’s security configuration, follow these guidelines:
More information can be found at https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html You can use the AWS Management Console to download a credential report as a comma-separated values (CSV) file. Please note that credential report can take 4 hours to reflect changes. To download a credential report using the AWS Management Console:
Further information about the report can be found at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html 1.2 Enable a Virtual MFA Device for Your AWS Account Root UserYou can use IAM in the AWS Management Console to configure and enable a virtual MFA device for your root user. To manage MFA devices for the AWS account, you must be signed in to AWS using your root user credentials. You cannot manage MFA devices for the root user using other credentials. If your MFA device is lost, stolen, or not working, you can still sign in using alternative factors of authentication. To do this, you must verify your identity using the email and phone that are registered with your account. This means that if you can’t sign in with your MFA device, you can sign in by verifying your identity using the email and phone that are registered with your account. Before you enable MFA for your root user, review your account settings and contact information to make sure that you have access to the email and phone number. To learn about signing in using alternative factors of authentication, see What If an MFA Device Is Lost or Stops Working ?. To disable this feature, contact AWS Support .
The device is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM Sign-in Page . 1.3 Configure Account Security Challenge QuestionsConfigure account security challenge questions because they are used to verify that you own an AWS account.
1.4 Configure Account Alternate ContactsAlternate contacts enable AWS to contact another person about issues with the account, even if you are unavailable.
1.5 Remove Your AWS Account Root User Access KeysYou use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account root user access key. The access key for your AWS account gives full access to all your resources for all AWS services, including your billing information. You cannot restrict the permissions associated with your AWS account access key.
1.6 Periodically Change the AWS Account Root User PasswordYou must be signed in as the AWS account root user in order to change the password. To learn how to reset a forgotten root user password, see Resetting Your Lost or Forgotten Passwords or Access Keys . To change the password for the root user:
1.7 Configure a Strong Password Policy for Your UsersYou can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. The IAM password policy does not apply to the AWS root account password. To create or change a password policy:
Does root user have all permissions AWS?Anyone who has root user credentials for your AWS account has unrestricted access to all the resources in your account, including billing information. You can change the email address and password on the Security Credentials page.
What are some of the types of access you can grant to an IAM user account?If console access is allowed, the IAM user can sign in to the console using a user name and password. Or if programmatic access is allowed, the user can use access keys to work with the CLI or API.
What is difference between IAM user and root user in AWS?There are two different types of users in AWS. You are either the account owner (root user) or you are an AWS Identity and Access Management (IAM) user. The root user is created when the AWS account is created. IAM users are created by the root user or an IAM administrator for the account.
What are the two types of access that is granted to users when an IAM policy is created?An AWS IAM policy regulates access to AWS resources to help ensure that only authorized users have access to specific digital assets. Permissions defined within a policy either allow or deny access for the user to perform an action on a specific resource. IAM policies can either be identity-based or resource-based.
|