Tasks that require root user

 
 

As we all know it is AWS best practice to not use the root user. However, there are certain Tasks which requires root credentials. But why? The root user gives full access to all your resources for all AWS services, including your billing information. Moreover there is no way to reduce the permissions associated with your AWS account root user access key. Additionally it is required from compliance perspective to enable multi-factor with a Hardware MFA device for root.

So please remember:
🚨 If you do have an access key for your AWS root user, delete the access key.
🚨 Enable MFA for root user with a Hardware MFA device and lock it in a safe.
🚨 Create an IAM user for yourself that has administrative permissions and use the root user just for the following tasks.

1. Change your account settings (account name, root user password, email address and enable MFA)

How to change your Account Name, Root User Password, and Root User Email Address

  1. Sign in to your AWS Account with root credentials.
  2. Open the Billing and Cost Management console.
  3. On the navigation bar, choose your Account and then then choose My Account.
  4. On the Account Settings page, choose Edit.
  5. Next to the field to update, choose Edit.
  6. Enter your changes and choose Save changes.
  7. Choose Done.

How to enable MFA for root user

  1. Sign in to your AWS Account with root credentials.
  2. Open the Billing and Cost Management console.
  3. On the navigation bar, choose your Account and then then choose My Security Credentials.
  4. Expand Multi-factor authentication (MFA)
  5. Click Activate MFA
  6. Follow the instructions in the Activate MFA box.

2. Change your AWS support plan

How to change your AWS support plan

  1. Sign in to your AWS Account with root credentials.
  2. Open the Billing and Cost Management console.
  3. On the navigation bar, choose your Account and then then choose My Account.
  4. Scroll to the Manage AWS Support Plans section.
  5. Click on the Click here to manage AWS Support plans button.
  6. Choose your new AWS Support Plan and click Change Plan.

3. Closing an AWS Account.

How to close your AWS Account

  1. Sign in to your AWS Account with root credentials.
  2. Open the Billing and Cost Management console.
  3. On the navigation bar, choose your Account and then then choose My Account.
  4. Scroll to the end of the page to the Close Account section.
  5. Select the check box to accept the terms and then choose Close Account.
  6. In the confirmation box, choose Close Account.
4. Submit a Reverse DNS for Amazon EC2 request.

How to submit a Reverse DNS for Amazon EC2 request.

  1. Sign in to your AWS Account with root credentials.
  2. Fillt out the Reverse DNS for Amazon EC2 request form.
5. Request removal of the port 25 email throttle on your EC2 instance.

How to request removal of the port 25 email throttle on your EC2 instance

  1. Sign in to your AWS Account with root credentials.
  2. Fillt out the Request to Remove Email Sending Limitations form.
6. Creation of a CloudFront key pair.

How to create a CloudFront key pair

  1. Sign in to your AWS Account with root credentials.
  2. Open the Billing and Cost Management console.
  3. On the navigation bar, choose your Account and then then choose My Security Credentials.
  4. In the popup box, select Continue to Security Credentials.
  5. Expand CloudFront Key Pairs.
  6. Click Create New Key Pair.
  7. In the Create Key Pair dialog box, click Download Private Key File.

7. Configure an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete.

How to enable MFA delete for an S3 bucket

Unfortunately it is currently not supported to enable MFA delete via Console. You need to use the following command to enable MFA delete for a bucket:

aws s3api put-bucket-versioning --bucket bucketname --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "your-mfa-serial-number mfa-code"
8. Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID.

How to edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID

  1. Sign in to your AWS Account with root credentials.
  2. Open the Amazon S3 Console.
  3. Select the bucket where you want to edit or delete the bucket policy.
  4. Choose the Permissons tab and select Bucket Policy.
  5. Edit the bucket policy and click Save or click Delete to delete the bucket policy.

9. Sign up for the GovCloud (US).

How to sign for the GovCloud

  1. Sign in to your AWS Account with root credentials.
  2. Open the Billing and Cost Management console.
  3. On the navigation bar, choose your Account and then then choose My Account.
  4. Scroll to the GovCloud (US) section.
  5. Click Sign up for AWS GovCloud (US).


We at globaldatanet are specialized in Cloud Security, if you do have any question feel free to get in touch with us via hello@globaldatanet.com



      

AWS Landing Zone versus AWS Control Tower

What is the difference between AWS Landing Zones and AWS Control Tower? Customized Solution or Managed Service?!

 

Apr 20th 2020

 

David Krohn

SCP performance with ssm-agent

A performance comparison of scp with ssm-agent and without

 

Apr 3rd 2020

 

Sascha Lange

Using AWS KMS with golang

How-to encrypt and decrypt data with AWS KMS and the aws-sdk-go.

 

Mar 25th 2020

 

Sascha Lange