Setting up security best practices with pre-existing account

0

Hi,

After reading into security best practices I realized I am a root user and shouldn't be building resources here. I have 1 cloud formation stack with some drift and a few manually made API Gateway > SQS > Lambda setups that function as basic webhook handlings. Two DynamoDB tables as well. Everything has been configured under the root user, is there a best practice for untangling my security situation?

  1. Create my initial base user that I will personally use and transfer everything to that user from root and lock it down per the docs.
  2. Same as 1 but transfer root privileges too that new user but I am unsure what the recommended approach would be.

#1 Has me concerned with how the transfer happens, what happens to my data etc. #2 Sounds the easiest but I have concerns about privileges post transfer of root privileges, and what would happen to a resource that was on root originally if it lost authority to use it?

Not sure if any of these concerns are valid, I am very new to AWS and am only now realizing how much setup work I skipped...

1 Answer
1

Hi,

You can create an IAM user with Administrator privileges. When you create an IAM User and assign the 'AdministratorAccess' policy, that user gets access to all resources within your AWS account. So when you login using the credentials associated with the Admin user, you will still be able to view and interact with the resources created by the root user.

You can further manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. You can choose to create custom IAM policies for your users/groups if there are only a subset of permissions you'd like them to have or attach existing policies to IAM identities (example- attaching AWSLambda_FullAccess to an identity grants them full access to AWS Lambda service, AWS Lambda console features, and other related AWS services.

AWS strongly recommends that you use the root user only for two things:
Create the first administrator user in AWS Identity and Access Management (IAM) - Reference Link
Perform those tasks that can be performed by only the root user - Reference Link

profile picture
EXPERT
answered 3 months ago
  • Here are some other areas to know about as you mentioned you have recently started with AWS - https://aws.amazon.com/blogs/security/top-10-security-items-to-improve-in-your-aws-account/

  • You can create an IAM user with Administrator privileges. When you create an IAM User and assign the 'AdministratorAccess' policy, that user gets access to all resources within your AWS account. So when you login using the credentials associated with the Admin user, you will still be able to view and interact with the resources created by the root user.

    This is a straight forward solution.

    AWS strongly recommends that you use the root user only for two things: Create the first administrator user in AWS Identity and Access Management (IAM) - Reference Link Perform those tasks that can be performed by only the root user - Reference Link

    Am I accepting a level of risk in leaving the services originally created under the root user as is? If I am intent on removing that risk, what would be my options then?

  • In case you were using access keys (access key ID plus secret access key) to make programmatic requests to AWS for resources created then make sure that you don't embed access keys directly into code. And you should rotate your access keys periodically and remove unused keys whenever applicable. Also configure MFA for most sensitive operations.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions