Which of the following should be done by AWS account root user
Community driven content discussing all aspects of software development from DevOps to design patterns. Show
Latest Blog Posts
Related Content
Sponsored News
Vendor Resources
Five Best practices for AWS root accountsKeeping your Amazon account secure is a major concern for every AWS user and admin. Here are the top five AWS root user account best practices every organization should follow:
Let’s break these down one by one. AWS root account securityCredentials for the AWS root account should be shared only with a select group of individuals on the IT team. Don’t share the AWS root account with the CEO, or with an auditor or compliance officer. Only as small number of individuals should know where the root credentials are stored. Create rules about how to access that credential, and what steps to follow when the root account password is updated. If you must assign elevated rights to a user temporarily, create a time-boxed role for that individual. But never share AWS root account credentials. AWS root access keysAnother AWS root account best practice is to delete any programmatic access keys associated with the root user. If a PEM file or DER certificate exists for the root account, that doubles the root account’s attack surface. Delete those keys immediately. In rare instances, an administrator might perform an administrative function as a root user. There are no reasons why a piece of software should programmatically log in as root with user’s access keys. Enable root MFABy default, AWS accounts are only protected by a username and password. The best practice here is to enable MFA. With a password, you prove who you are with a piece of information that only you know. MFA ups the ante by requiring not only what you know but also what you have. In addition to a password the user must also provide a token or code, generated on a device that is not the device on which the user is attempting to log in as the AWS root. Many Gmail or Facebook users are familiar with using SMS messages with MFA. AWS is much stricter — an SMS message to a mobile device is not a valid MFA option. For AWS, the only valid MFA options are:
Securing access to the root AWS account is a crucial best practice. If your organization uses any of the devices listed above, include them in an MFA routine. MFA is a commonly accepted best practice for root AWS account security. Rotate AWS passwordsThere is no default password rotation for the AWS root account. Once the AWS root password is set, there are no rules that require regular password updates. However, admins can easily create a setup to regularly rotate passwords by updating the password policy attached to the account. A general AWS root user best practice is to set the password rotation period to at least 90 days. For even more security, set it to 60 days. Create administrative accountsFor day-to-day administration of the AWS console, create an administrative group and add trusted users who need elevated rights. The root AWS account can never be deleted, and the rights associated with the root account cannot be revoked. Admins can, however, remove a user from the administrative group or suspend a user’s account altogether. Furthermore, with administrative access provisioned on a per-account basis, admins can monitor the actions of a specific user to identify any peculiar activity that warrant investigation. If the root account is shared by multiple users, there is no way to identify which user performed which administrative tasks. More AWS security best practicesA core tenet of server-side security is to respect the principle of least privilege. An AWS root account best practice is to always respect the principle of least privilege. How to protect the super user accountAn admin should assign to users only the minimal rights to perform their required tasks. Furthermore, don’t add users to the administrative group every time they perform a one-off administrative function — use AWS roles instead. Also, regularly monitor exactly who is included in your account’s administrative group. If a user moves on to a non-administrative role, do not allow that user to perform management functions in AWS. Follow these AWS root account best practices, and you’ll ensure that nefarious cyber-criminals never gain access to your cloud-computing credentials. What should be done by the AWS account root user?Enable MFA on the AWS account root user
We recommend that you follow the security best practice to enable multi-factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account.
Which of these actions can only be performed by the root account user?For example, only the root user can close your account. If you must perform a task that requires the root user, sign in to the AWS Management Console with the email address and password of the root user. For more information, see Tasks that require root user credentials in the AWS Account Management Reference Guide.
Which of the following is an AWS best practices for managing an AWS account root user?Best practices to protect your account's root user. Enable AWS multi-factor authentication (MFA) on your AWS account root user. ... . Never share your AWS account root user password or access keys with anyone.. Use a strong password to help protect access to the AWS Management Console.. Which of the following is a best practice for the root account user?Here are the top five AWS root user account best practices every organization should follow: Never share AWS root account credentials. Delete any and all of root's programmatic access keys. Enable multi-factor authentication (MFA) on the root account.
|