Now that you understand IAM, let's discuss how to secure your AWS account itself. Your account contains a root user, which is the identity created when you first sign up. This user has complete and unrestricted access to all resources.

Engagement Message

Why is having a single user with unlimited power a potential security risk?

Because the root user is so powerful, the number one rule is: don't use it for everyday tasks. After setting up your account, you should create an administrative IAM user for yourself, and then lock away the root user credentials.

This is a critical step in securing your environment.

Engagement Message

What challenges might you face when trying to convince team members to stop using the root user for daily tasks?

The most important action you can take to secure your root user (and all users) is to enable Multi-Factor Authentication (MFA). MFA adds a second layer of security, requiring something you know (your password) and something you have (an authentication device).

Even if someone steals your password, they can't log in without your physical MFA device.

Engagement Message

What would happen if an attacker gained access to your AWS account without MFA enabled?

You can use virtual MFA applications on your smartphone, like Google Authenticator or Authy, or you can use a hardware MFA device like a YubiKey. The key is to enable it for your root user and all IAM users.

Engagement Message

Which method, virtual or hardware, seems more convenient for you?

Beyond MFA, another best practice is to create and use IAM roles for granting applications access to AWS, instead of storing long-term credentials like a password. Roles provide temporary security credentials, which is much more secure.

Engagement Message

Why are temporary credentials safer than permanent passwords stored in an application?