IAM Advanced
Securing the root user, enabling MFA, access keys, CloudTrail, and account protection best practices
AWS Account Root User vs. IAM Users
When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This is the account root user, accessed by signing in with the email address and password used to create the account.
Root-Only Actions
Certain tasks can only be performed by the root user:
- Change the account root user password
- Change the AWS Support plan
- Restore IAM user permissions (if all IAM users are locked out)
- Change account settings (contact information, allowed Regions)
- Close the AWS account
- Enable MFA delete on an S3 bucket
Securing a New AWS Account: The 4-Step Process
- While logged in as root, create an IAM user for yourself.
- Create an IAM group (e.g. "FullAccess"), attach administrator policies, and add the IAM user to it.
- Disable and remove any root user access keys.
- Enable a password policy for all IAM users.
- Sign out as root, copy the IAM sign-in link from the dashboard, and sign in with your new IAM user.
- Store root user credentials in a secure, offline location.
Require MFA for the account root user and for all IAM users. MFA adds an extra authentication code beyond username and password.
MFA Token Options
| Type | Examples | Notes |
|---|---|---|
| Virtual MFA apps | Google Authenticator, Authy | Free. Software-based token generation on a smartphone. |
| U2F security keys | YubiKey | Physical USB/NFC device. Supports multiple root/IAM users on a single key. |
| Hardware MFA | Gemalto key fob, display card | Physical device. Key fob for tap, display card shows rolling codes. |
AWS CloudTrail tracks user activity and API usage on your account. It logs all API requests to resources in all supported services.
- Enabled by default on all AWS accounts (free).
- Records the last 90 days of management event activity (create, modify, delete operations).
- Viewable and searchable from the CloudTrail console → Event history.
- For log retention beyond 90 days and event alerting: create a Trail, configure an S3 bucket for log storage, and apply it to all Regions.
- CloudTrail enables operational auditing — who did what, when, and from where.
This report tracks your AWS usage and provides estimated charges by the hour or by the day. AWS delivers the report to an S3 bucket you specify, updated at least once daily. It provides visibility into spending for security and cost governance.
Access Keys
Access keys consist of an access key ID and a secret access key. They are used for programmatic access (AWS CLI, SDK, API).
Best Practices for Access Keys
- Never share access keys between users.
- Never embed access keys in code, applications, or repository commits.
- Use IAM roles instead of long-term access keys whenever possible (e.g., on EC2 instances, Lambda functions).
- Rotate access keys regularly.
- Delete unused or compromised access keys immediately.
- Remove root user access keys — the root user should not have any programmatic access.
Password Policies
You can enforce password policies for IAM users at the account level:
- Set minimum password length
- Require specific character types (uppercase, lowercase, numbers, non-alphanumeric)
- Allow users to change their own passwords
- Enforce password expiration (e.g., every 90 days)
- Prevent password reuse
Password policies apply to all IAM users in the account. They do not apply to the root user password.
IAM Credential Report
The IAM credential report lists all users in your account and the status of their various credentials — passwords, access keys, MFA devices. It is a critical tool for auditing and compliance. You can generate and download the report from the IAM console at the account level.
IAM Advanced Quiz
Select one answer per question. You will receive immediate feedback.