Skip to main content

루트 계정 보호하기 (필수)

https://catalog.workshops.aws/startup-security-baseline/en-US/b-securing-your-account/2-protect-root-Your root user (the email you used to register the AWS account) is very powerful and grants unlimited access to your account and resources. The CIS AWS Foundations Security Benchmark Controls 

strongly recommend that you do not use the root user for your everyday tasks, even administrative ones. Your root user should only be used for billing issues and changing of alternate contacts.

Perform all other actions using IAM Users or other IAM identities. Click here 

for more information.

This section will show you how to:

  • Configure MFA for your Root user
  • Delete your Root Account access keys

 

Controls Implemented in this Section

 

ACCT.05 - Require Multi-Factor Authentication (MFA) to log in 

Estimated Cost

 

This control is free.

 

Workshop Steps

Delete root account access keys

 

Since root user access keys grant unlimited programmatic access to your account and its resources. You should delete them to secure your account.

  1. Sign in to the AWS Console 
  1. as the root user by choosing Root user and entering your AWS account email address.
Image of logging into AWS console as root user using AWS account email address
Log in as root user
  1. Click on your username on the top right and select Security Credentials.
Image of clicking "Security credentials" on top right navigation dropdown to access Security Credentials
Access Security Credentials
  1. On the Your Security Credentials page, select Access keys (access key ID and secret access key) to expand it.
  2. If you have any access keys, select Delete.
Image of selecting "delete" for AWS access keys to delete root account access keys
Delete access keys
  1. Select Deactivate and fill in the key name and select Delete to delete the key.

 

Turn MFA on for the root user

 

Multi-Factor Authentication (MFA) is a vital mechanism to improve your account security. With MFA set up, a malicious actor will face another challenge to access your account even if they manage to get your root email and password.

Ideally, the token and the password should be held by two different people. This will prevent any single person from using the root account.

  1. Download an authentication application app to your phone if you don't have any other MFA device. For this workshop, we will be using Twilio Authy - iOS 

| Android 

Use your AWS account email address and password to sign in as the AWS account root user to the IAM console 

  1. On the right side of the navigation bar, click your account name, and click My Security Credentials. If necessary, click Continue to Security Credentials.

Image of clicking "Security credentials" on top right navigation dropdown to access Security Credentials
Access Security Credentials
  1. Then expand the Multi-Factor Authentication (MFA) section on the page.
  2. Click Activate MFA.

Image of clicking on Activate MFA in the MFA section to view Manage MFA device

  1. In the wizard, select Virtual MFA device device and then click Continue.

Image of clicking virtual MFA device and Continue to set up virtual MFA device

  1. On the Set up virtual MFA device window click Show QR code.

Image of clicking Show QR code on "Set up virtual MFA device" page to set up MFA

  1. Click on the plus button on Twilio Authy app and scan the QR Code.
Image of plus button on Twilio Authy app to scan QR code
Click on "+" button on Twilio Authy to scan QR code

  1. If you cannot scan the code, tap cancel on Twilio Authy. Select Enter key manually on the bottom of the screen. Click on Show Secret Key on the AWS MFA set up wizard. Type the key manually into Twilio Authy.

  2. You can set a password to store this securely on Authy or tap Skip if you choose not to. Tap save.

  3. The device starts generating six-digit numbers.

Image of six digit authentication number on Twilio Authy highlighted
6-digit authentication number generated on Twilio Authy
  1. Return to the Manage MFA Device wizard. In the MFA Code 1 box, type the six-digit number that’s currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication Code 2 box. Click Assign MFA
Image of enter 2 consecutive MFA codes from Twilio Authy application on set up virtual MFA page to authenticate
Enter 2 consecutive MFA codes to authenticate
  1. Important: Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.

 

Test your new MFA setting

 

  1. Open a separate browser and stay logged in to your account on the original browser.
  2. Try logging into your root account at the AWS console 
Image of signing into root account using a separate browser to test out MFA setting
Sign in using a separate browser
  1. You should need the MFA code to log in.
  2. If MFA doesn’t work, return to the previous browser where you are still logged in and try to configure MFA again.

For more information please read the AWS User Guide 

What you accomplished

By implementing this control, you have successfully

  • Configured MFA for your Root user
  • Deleted your Root Account access keys

Back to top