[Recipes] Setting Up Basic First Time Security Tasks in IAM Dashboard

After loggin in for the first time, you have to to go to the IAM page and you need to complete all items under security status:

Task 1 should be already completed by now.

Task 2 - Activate Multi Factor Authentication (MFA) on your root account

To activate a virtual MFA device, you must first install an AWS MFA-compatible application on the user's smartphone, PC, or other device. For Android phones, you can install Google Authenticator along with Barcode Scanner.

Steps:

1. Click ‘Activate MFA on your root account’

2. Click ‘Manage MFA’

3. Select ‘A Virtual MFA Device’

4. Click Next on the message for installing MFA-compatible application, if you have installed Google Authenticator along with Barcode Scanner.

5. Scan the barcode shown in screen using Google Authenticator. Enter two consecutive codes.

6. The MFA device was successfully associated.

Task 3 - Create individual IAM users

Create IAM users and restrict them only the permissions they need. The root account provides unrestricted access to your AWS resources.

Steps:

1. Click on ‘Manage Users’

2. Click on ‘Add User’

3. Enter Username and Access Type (Programmatic access and/or AWS Management Console access). Programmatic access enables an access key ID and secret access key for the AWS API, CLI, SDK, and other development tools. Select both options for Access Type and leave other options as is.

4. Leave all options as is on further screens, clicking next until the end.

5. You will see the success message asking to download to credential csv.

6. Download credentials.csv.You can also email instructions.

Success message has below text:

You successfully created the users shown below. You can view and download user security credentials. You can also email users instructions for signing in to the AWS Management Console. This is the last time these credentials will be available to download. However, you can create new credentials at any time.

Users with AWS Management Console access can sign-in at: https://<>.signin.aws.amazon.com/console.

Now you can go back to IAM dashboard by clicking on dashboard on the sidebar and refresh page to see the updated page.

Login With Custom URL

1. Customize your user signin link (available in the main page) by clicking on the customize link alongside it.

2. Logout and login with a user created in previous step using the customized login link.

Note: This is not a checklist requirement that needs to be completed, but good to do always.

Task 4 - Use groups to assign permissions

1. Click on ‘Manage Groups’

2. Click on ‘Create New Group’

3. Give a group name (e.g. development)

4. Select one or more policies to attach (e.g. IAMUserChangePassword).

5. Review the information, then click Create Group.

Now you can go back to IAM dashboard by clicking on dashboard on the sidebar and refresh page to see the updated page.

Task 5 - Apply an IAM password policy

1. Go to ‘Account Settings’ page from left sidebar.

2. Select appropriate options for Password Policy.

3. Click on ‘Apply Password Policy’

Final Security Status

Now you can go back to IAM dashboard by clicking on dashboard on the sidebar and refresh page to see the updated page. You should now see all Security Status Items as green.