2. Lesson 2 - Forming your world
Objective 2:
● Getting acquainted
● Setting up your account
● Root User Lock Down
● IAM Users => Maturing your access model
Form a world
and explore
3. Prerequisites
1. 2. 3.
Use a credit card and
email to signup
Gained access to the
console of an AWS
Account
Generated an SSH Key
and have a Kali Linux
VM or system to use
5. Your responsibility
● Secure this account
● Pay the bill for this account
○ Plan for $50.00 for the week
○ Keep track of the spend
● Close it when we’re done with the course
○ This takes 30-days
○ I’ll walk you through it
7. Root User - Terminology
● Root user in AWS - The first user account you create.
● Root user ONLY tasks (mostly not lies see upcoming content):
○ Change account settings like technical and security contacts.
○ Change payment info.
○ Delegate viewBilling permissions.
○ Permanently close the account
○ Anything with permissions. Access can not be delegated away.
○ Change the support plan.
○ AWS Marketplace Registration
○ Sign up for GovCloud
○ Notify AWS You’re going to PenTest AWS Services
8. Root User - TL;DR
Generate a root user Add Multi Factor Lock it up
Delegate
access
9. Root User - TL;DR
Generate a root user Add Multi Factor Lock it up
Delegate
access
12. Root User - Settings
A
B
C
Legend:
● A: Where do the
bills go?
● B: When AWS
needs to get rid
of an old server
who gets called?
● C: When your
account is mining
bitcoin and c2 for
nation states who
gets called?
13. Root User - Settings
Legend:
● D: Challenge
questions that
enable you to
reset the root
user password.
Strangely not
configured by default.
14. Root User - Challenge Questions
Advice:
● Choose random
challenge items
and generate
secrets for these.
17. Root user settings recap
● Setup security challenges
● Setup billing emails
● Setup contacts for bills, ops, and security
○ Which we will of course keep up to date ;)
● Able to answer the question
○ “Root user what is it good for?”
20. MFA - TOTP
● Time based one time password
Pros:
● Tried and true
● Lots of support ( virtual, hardware, app)
Cons:
● Device resyncs
● Secret storage for team sharing
21. MFA - TOTP
Recommendation:
● CLI - oathtool
○ https://savannah.nongnu.org/projects/oath-toolkit/
● DUO App on Mobile
○ Free
○ TOTP Seed Backup
23. MFA - U2F
● Universal second factor
Pros:
● Most secure we have
● Multiple hardware vendors
○ Yubikey ( top right )
○ Feitan Multipass ( bottom right )
● Well supported in Chrome and Firefox
Cons:
● AWS only lets you enroll one key
● Hard to share over distance
Advice:
● Don’t lose the key
24. Transition from the root user
● Setup Billing Delegation
○ Other users can view bills
● Provision an IAM User to use for the rest of the setup
○ Your first “Administrator”
○ This account will be used for the majority of actions in the course
○ Eventually transition from this when we setup single sign on
Delegate
access
29. Add two templates
● From supplemental 01-02
○ 00-unfederated-iam-roles.yml
○ 01-first-user.yml
● Sets up a role structure
○ Requires users to use MFA ( don’t quite worry about how )
● Sets up first IAM user
○ You’ll use this for most of the class
○ Sets a temp password
31. What did we do?
● Setup a foundational role structure
● ReadOnly and Administrative Access
● Requires MFA
● Generated a first user and random password
What’s next?
● Login to the console
● Setup MFA for this user
● Get an access key pair for the user
● Add it to some tooling to sign in
39. Sign back in! ( With MFA )
● You may notice you can do more things!
Try switching roles
40. Switch Roles! ( With MFA )
● You may notice you can do EVEN more things!
Your account ID from the console sign in
A role name ( UnfederatedAdministrator )
Auto populated
Choose your favorite
41. Success Looks Like
Your assumed role
We provisioned two roles.
This list can notably be as long as you like.
Get the powers of the role you assumed until you drop them OR 1 hour passes.
Works the same for multi-account / cross account access
42. Let’s do CLI Access
● My personal recommendation is to CLI using aws-vault
○ Available in your VM or installable on your platform
● Backup method -- use boto3 and awscli natively
● There’s no ONE right way
43. Get some access and secret keys
IAM -> Users -> ${YOUR_USER} -> Security Credentials
46. Why AWS-Vault
● Differentiates long lived and short-lived sessions
● Also adds a metadata proxy for local developers
● Protect secrets at rest
● Much better UX than the aws cli
○ The better the user experience in your security tools the better adoption
you’re going to have.
● Credential leaks are still the #1 cause of AWS Security Incidents
51. Some neat things about your IAM User
● That user can only assumeRole ( like UnfederatedAdministrator )
● The assumeRole calls MUST be made with MFA
● If you leak your long-lived key an attacker can’t leverage it
● You can bring this pattern back to your workplace
● How it works … later on : ~ Day 3
61. What did we do?
● New account setup
● Root account lockdown
● Technical Security and
Billing Contacts
● Get off the root account
● Setup an IAM user model
requiring 2FA with two roles
● Killed long lived access keys
● Practiced role assumption
● Go check out your root account
● Audit the contacts
● Ensure no one has credentials for it in
a password manager or other
● Ensure that it has 2FA
Later on:
● Learn about this 2FA account pattern
If you already have AWS
62. Questions
Go forth and configure your environment using the instructions for lab 0202-setting-up-
your-account.md in the labs folder at your convenience.