Skip to main content

루트 계정 보호하기 (필수)

https://catalog.workshops.aws/startup-security-baseline/en-US/b-securing-your-account/2-protect-root-Your root user (the email you used to register the AWS account) is very powerful and grants unlimited access to your account and resources. The CIS AWS Foundations Security Benchmark Controls 

strongly recommend that you do not use the root user for your everyday tasks, even administrative ones. Your root user should only be used for billing issues and changing of alternate contacts.

Perform all other actions using IAM Users or other IAM identities. Click here 

for more information.

This section will show you how to:

    Configure MFA for your Root user Delete your Root Account access keys

     

    Controls Implemented in this Section

     

      ACCT.02 - Restrict use of the root user 

      ACCT.05 - Require Multi-Factor Authentication (MFA) to log in 

      Estimated Cost

       

      This control is free.

       

      Workshop Steps

      Delete root account access keys

       

      Since root user access keys grant unlimited programmatic access to your account and its resources. You should delete them to secure your account.

        Sign in to the AWS Console 
          as the root user by choosing Root user and entering your AWS account email address.
          Image of logging into AWS console as root user using AWS account email address
          Log in as root user
            Click on your username on the top right and select Security Credentials.
            Image of clicking "Security credentials" on top right navigation dropdown to access Security Credentials
            Access Security Credentials
              On the Your Security Credentials page, select Access keys (access key ID and secret access key) to expand it. If you have any access keys, select Delete.
              Image of selecting "delete" for AWS access keys to delete root account access keys
              Delete access keys
                Select Deactivate and fill in the key name and select Delete to delete the key.

                 

                Turn MFA on for the root user

                 

                Multi-Factor Authentication (MFA) is a vital mechanism to improve your account security. With MFA set up, a malicious actor will face another challenge to access your account even if they manage to get your root email and password.

                Ideally, the token and the password should be held by two different people. This will prevent any single person from using the root account.

                  Download an authentication application app to your phone if you don't have any other MFA device. For this workshop, we will be using Twilio Authy - iOS 

                  | Android 

                  Use your AWS account email address and password to sign in as the AWS account root user to the IAM console 

                    On the right side of the navigation bar, click your account name, and click My Security Credentials. If necessary, click Continue to Security Credentials.

                    Image of clicking "Security credentials" on top right navigation dropdown to access Security Credentials
                    Access Security Credentials
                      Then expand the Multi-Factor Authentication (MFA) section on the page. Click Activate MFA.

                      Image of clicking on Activate MFA in the MFA section to view Manage MFA device

                        In the wizard, select Virtual MFA device device and then click Continue.

                        Image of clicking virtual MFA device and Continue to set up virtual MFA device

                          On the Set up virtual MFA device window click Show QR code.

                          Image of clicking Show QR code on "Set up virtual MFA device" page to set up MFA

                            Click on the plus button on Twilio Authy app and scan the QR Code.
                            Image of plus button on Twilio Authy app to scan QR code
                            Click on "+" button on Twilio Authy to scan QR code

                              If you cannot scan the code, tap cancel on Twilio Authy. Select Enter key manually on the bottom of the screen. Click on Show Secret Key on the AWS MFA set up wizard. Type the key manually into Twilio Authy.

                              You can set a password to store this securely on Authy or tap Skip if you choose not to. Tap save.

                              The device starts generating six-digit numbers.

                              Image of six digit authentication number on Twilio Authy highlighted
                              6-digit authentication number generated on Twilio Authy
                                Return to the Manage MFA Device wizard. In the MFA Code 1 box, type the six-digit number that’s currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication Code 2 box. Click Assign MFA
                                Image of enter 2 consecutive MFA codes from Twilio Authy application on set up virtual MFA page to authenticate
                                Enter 2 consecutive MFA codes to authenticate
                                  Important: Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.

                                   

                                  Test your new MFA setting

                                   

                                    Open a separate browser and stay logged in to your account on the original browser. Try logging into your root account at the AWS console 
                                    Image of signing into root account using a separate browser to test out MFA setting
                                    Sign in using a separate browser
                                      You should need the MFA code to log in. If MFA doesn’t work, return to the previous browser where you are still logged in and try to configure MFA again.

                                      For more information please read the AWS User Guide 

                                      What you accomplished

                                      By implementing this control, you have successfully

                                        Configured MFA for your Root user Deleted your Root Account access keys

                                        Back to top