Want to get started in Amazon Web Services but worried about cloud security?  This step-by-step guide shows you the right way to get started in Amazon Web Services.  Cloud security is a must!

1) Create your account.

Go to https://aws.amazon.com/ and click on the “Sign in to the Console” button. Follow the steps to set up your account and your billing information.

2) Set up Logging

Before we start configuring anything, let’s set up logging. Logging is essential if something goes bump in the night (or if you’re hacked).

Amazon offers CloudTrail to log everything your users do when they’re logged in to the system.


The set-up page is pretty self-explanatory:


One thing that’s a little tricky is the “S3 bucket” field. You have to follow specific naming conventions (no spaces, for example). You can read more about these here:

One other thing – pay attention to your region. “Regions” are the geographical areas where Amazon has data centers. In this case, I’m working in the Oregon region, which you can tell at the top of every page. Make sure that you’re setting up CloudTrail in the main region where you’ll want to set up your servers.


Once you’ve set up logging, turn it on!


Great! Now you know that Amazon will log everything you do. We’ll show you how to view the log in a moment.

3) Create non-root users.

This sounds scary, but it’s actually quite simple. “Root” is the first account you get. It has god-like powers. It’s something that you never, ever want falling in to the hands of attackers.

To protect it, we’re going to create user accounts that we’ll use for our day-to-day work.

We want to follow this procedure: http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html

Go into IAM (Services > Security & Identity > IAM).  BTW, “IAM” stands for “Identity and Access Management.”


You’ll see a screen that looks like this.  You’re going to get very familiar with this screen!


Click on “Groups” then “Create New Group”:


Create one called “full-admin” (or whatever you want to prove that these are the tippy-top power users), then click “Next Step.”

Under “Attach Policy,” select “AdministratorAccess”.


Review what you’ve created, then click “Create Group” to finalize.

Now let’s create our first user!  Go to Users, then click on “Create New Users”


Enter the usernames, following a specific convention (e.g., josh.ablett, jablett, joshablett, any are fine).

IMPORTANT: ONLY check “generate an access key for each user” if your users will be making API calls via code to AWS. If you don’t know what this means, then uncheck this box!


On the next page, you’ll see a menu to get your security credentials. YOU NEED TO STORE THESE IN A SAFE PLACE. If you lose them, or if they’re compromised, game over. We use and recommend LastPass or SpiderOak for storing sensitive credentials.

After storing your credentials in a secure place, you can click “close.”

When you download them, they will show BOTH a “Access Key ID” and a “Secret Access Key”. Store both of them, as you’ll need them both.

Click close.

4) Now, let’s make sure that CloudTrail is working

Go back to Services > Management Tools > CloudTrail

If it’s working, now you should see all the things you just did to create new users.


Uh oh. See how all of the users are “root”? Bad cloud security!  Viewers of Mr. Robot or Person of Interest will tell you that having “root” access is a bad thing. If something goes wrong, I can’t tell who actually did it!

From this point forward, it’s time to switch users.

There are a couple of things we need to do first.

5) Set your user up with a password

The “user security credentials” you created above were only for programmatic access. They’re not a password. Now you need to create a password for the user.

Services > Security & Identity > IAM

Click into “Users”, and then click into the new user you created. Once there, click on “Security Credentials” and then “Manage Password.”


Choose the options you want.  Follow strong password measures.


6) Assign your user to the Admin group.

Now let’s give your secure cloud user some powers. If you forget to do this step, your new user won’t actually be able to do anything.

Services > Security & Identity > IAM

Click on “Groups”

Click into the group that you created that contains the admin privileges.

Click “Add Users to Group”


Select your user (and any others you created), and click “Add Users”

7) Set up root with multi-factor authentication

Next, we need to set up multi-factor authentication for the root account.  Multi-factor authentication is one of the most important controls for ensuring cloud security.

Multi-factor authentication makes it even harder for attackers to compromise your account. A hacker would have to have your username, password, AND mobile phone to get access.

Services > Security & Identity > IAM, then select “Activate MFA on your root account”


If you have a smartphone (like iOS, Android, or Windows Mobile), use a virtual MFA device. This is an app on your phone that generates a code each time you log in. We like Authy, though Google Authenticator works too.

AWS will lead you through a wizard. You’ll need to install the app on your phone first before you proceed.

AWS will show you a QR code which you’ll scan within the app on your phone. Scan that code, and you’ll create a link between your phone and AWS. Your phone will show you a series of six-digit codes that change. To complete setup, enter one code, wait for it to change, then enter a second code.


8) Create a password policy

The last thing you want to do before logging out of root – set a password policy:


Here’s a screenshot that shows how we like to set it up, though your company policy may be different:


9) Get your log-in URL

Head on over to Services > Security & Identity > IAM

Take note of the log-in URL. From now on, you’ll need to log in there instead of the generic “amazon.com/aws” login. Maybe bookmark it?

Log out of root (click on your name in the upper right-hand corner), and head over to your new login URL. It’ll be something like http://###############.signin-aws.amazon.com/console


10) Log out of root, log in as you.

Head over to your new login page:


Enter your username and password, and you’re in!

11) Wait, something is missing!

Did you notice how you didn’t have to enter in your Multi Factor Authentication code? Cloud security fail!  That’s because you only set that up for root!

Now you need to set it up for your user. THIS IS THE FIRST THING YOU SHOULD DO, and that any user should do.

Head to Services > Security & Identity > IAM

Click into “Users” and then the user that needs MFA.

Click on the “Security Credentials” tab, then scroll down to “Manage MFA Device”


Follow the same process that you used for the root account.

12) Now let’s set up some other user accounts

This should be old hat by now.  You’re becoming a cloud security pro.  🙂
Services > Security & Identity > IAM
Click into “Users” and then add a user.
Make sure to keep track of those access keys!  You’ll need to communicate them later.
Also set up a new password for each user, and make them change it when they log in.
User > Security Credentials > Manage Password

13) Next, let’s force the users to set up multi-factor authentication

I like to create a group called “mfa-enforcement” that ONLY lets new users set up MFA.


Create a new group, but don’t attach any policies to it. For starters, this will be an empty group.

Next, click into the group you just created. Go to “Permissions” and then “click here” to create an inline policy.


Use the Policy Generator, set Effect to Allow.

Under AWS Service, pick “AWS Identity and Access Management.”


Under “Actions”, you’re going to see a ton of choices.  Here’s what to pick:

  • CreateVirtualMFADevice
  • DeactivateMFADevice
  • DeleteVirtualMFADevice
  • EnableMFADevice
  • ListMFADevices
  • ListVirtualMFADevices
  • ListUsers
  • ResyncMFADevice
  • GetUser
  • GetUserPolicy

One thing that’s tricky is the “Amazon Resource Name (ARN)” field.  Just put an asterisk in this field, and it will automatically apply to all users in all regions.


Click on “Add Statement” and then “Next Step.”

On the next page, click “Apply Policy”.

Now go to the Users tab and add the users to this new group. ALL it should let them do is log in and configure their MFA.

14) Release the hounds!

Now that you have your users set up, logging setup, and multi-factor authentication setup, you can safely start using Amazon Web Services!  Cloud security win!

There’s lots more to do.  Future articles will cover further logging, user management, and starting servers and storage securely.

Would you like help moving your business to the cloud?  Want to make sure your move is safe, secure, and HIPAA-compliant?  Talk with an Adelia Risk consultant to learn more.

Have questions or feedback? Please share them in the comments below!

Like this article? Share it!