This course has been updated! We now recommend you take the AWS For Front-End Engineers, v2 course.

Check out a free preview of the full AWS for Front-End Engineers (ft. S3, Cloudfront & Route 53) course:
The "Securing the Root Account" Lesson is part of the full, AWS for Front-End Engineers (ft. S3, Cloudfront & Route 53) course featured in this preview video. Here's what you'd learn in this lesson:

Steve sets up a new AWS account with a subuser and configures MFA on both accounts as well as discusses AWS's Identity Access Management (IAM).

Get Unlimited Access Now

Transcript from the "Securing the Root Account" Lesson

>> Steve Kinney: I do wanna spend a little bit of time talking about IAM. IAM stands for Identity Access and Management, and again, we created a single account and a tiny little startup. You might be like, yeah, we'll all just share the same username and password but at a certain amount of scale that doesn't work, right?

[00:00:19] All you need is one salty person who knows they're on their last week to go and have some fun, right? So the TL;DR of what IAM is, it's just how to manage sub accounts. You have one main account, and you can have multiple sub accounts. We're actually gonna create at least two sub accounts today, right?

[00:00:40] And one of the reasons is that, generally speaking, we don't want to use our root account, really for anything, right? If we lose control of the root account, it's kind of like game over, call the credit card company up and cancel the credit card. So a great way of not losing control of the root account is just to not use it, right?

[00:01:01] So we'll create a kind of sub account that has almost all of the rights as our root account and we'll use that instead. In the same way that most Unix based computers have a root, well, nobody actually ever uses that, right? You have some sub-account, and if you're really super secure, you have an account that has no admin rights or something along those lines.

[00:01:21] I don't do that, but you should. So we're gonna create a new account, and one thing to keep in mind when you're creating accounts is the Principle of Least Access, right? Which is only giving accounts as much power as they need, right? So when we create an administrator account, that's gonna be separate from a root account, we're gonna give it some pretty far reaching powers.

[00:01:41] But later, when we go and build a CI/CD pipeline, right, that account, we wanna keep it separate from administrative account in case we lose control of it. But it certainly doesn't need the ability to spin up Dynamo databases or change billing, or anything along those lines, right? If it's the CI/CD process and that's getting our client-side assets into an S3 bucket, well, it probably only needs the ability to write to an S3 bucket, right?

[00:02:04] So we can create accounts, and the accounts are for humans, but they're also for different, a CI/CD user, right? They're also for the robots in our lives. Also, we'll use accounts as well. And you do much more sophisticated and advanced things with IAM as well. You can have IAM roles created for users so they have their stuff sectioned off.

[00:02:26] We're not gonna do much of that today. We're just gonna keep it simple and know the basics for deploying an application. All right, so here's what we're gonna do together. We are going to secure a root account, then we're going to make an account that is not our root account, and then we're gonna secure that, too.

[00:02:42] Sound good? Cool, so let's do this together. So in Services, I'm gonna go to IAM.
>> Steve Kinney: And you can see it's kind of telling me all of the things that are kind of wrong with my account right now. If you have an older AWS account, this might even be sad, all right?

[00:03:04] Which is, we normally don't want API keys for our root account. By default, if you made a new account this morning, or yesterday, or in the last few months, there are no keys for your root account. But I know on my personal account, which I made, apparently, in 2007, I don't know what I was using it for in 2007, but that's how old the keys were.

[00:03:28] There were some keys and you should go ahead and delete them if you see that there, unless you're using them cause then you'll break stuff. But, so one thing I wanna do is turn on multi-factor authentication. If you have a hardware device, like one of those UB keys that you kind of plug into the computer, a software one is just an app, whether it's Google authenticator or something along those lines.

[00:03:49] I use one called Authy. It doesn't really matter. At work, I have one called Duo. There's 1,000 of them, it doesn't really matter. So we'll go ahead and I'll hit Next Step, and I get this cool code, and then, I take my phone.
>> Steve Kinney: I take a picture of the code.

[00:04:08] There was a Tumblr blog at one point called That might not be the real URL, but you know what I mean. And the only thing on it was no posts yet, because no one has actually ever taken a picture of a QR code. It's a fun joke.

[00:04:28] So I scan that code.
>> Steve Kinney: Cool, it's added, now I'll get some keys that I can put in, so cool. And so now no one can login into my account without first beating me up and taking my phone. Then, they can login into my account. They'd have to torture the password out of me, too, but that's really not hard.

[00:04:49] So let me refresh this page. You can see that's now a green check.