In AWS, a user is a person or a computer that can do things on the AWS cloud.
When you create an AWS account, the email address you sign up with becomes the root user of the AWS account. So when you log into your AWS Management Console using you email address and password, you are logging in as the root user.
This root user has unrestricted access to everything in your account in most cases. This root user can do whatever they want in the account. It has all of the powers that can be had.
And with great power comes great responsibility (or something like that).
On top of enabling multi-factor authentication for the root user (we show you what that means below), we strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. There are really only a few actions that require root user access.
In the exercise you do later, you will learn how to create an IAM user, and use that to log into your AWS account instead of using the root user.
IAM (Identity and Access Management) users are like sub-users or team members of the AWS account, and they have their own usernames and passwords.
Using IAM users (instead of your root user) is a great idea for your day to day exercises on AWS. The IAM user limits access and actions to only what's necessary, reducing the risk of accidents or security breaches.
When you create an AWS account and first log in to the account, you use single-factor authentication. Single-factor authentication is the simplest and most common form of authentication. It only requires one authentication method. In this case, you use a user name and password to authenticate as the AWS root user. Other forms of single-factor authentication include a security pin or a security token.
However, sometimes a user’s password is easy to guess.
For example, your coworker Bob’s password, IloveCats222, might be easy for someone who knows Bob personally to guess, because it’s a combination of information that is easy to remember and includes certain facts about Bob (Bob loves cats, and his birthday is February 22).
If a bad actor guessed or cracked Bob’s password through social engineering, bots, or scripts, Bob might lose control of his account.
Unfortunately, this is a common scenario that users of any website often face. This is why using multi-factor authentication (MFA) is important in preventing unwanted account access.
MFA requires two or more authentication methods to verify an identity.
With a combination of this information, systems can provide a layered approach to account access. So even if the first method of authentication, like Bob’s password, is cracked by a malicious actor, the second method of authentication, such as a fingerprint, provides another level of security. This extra layer of security can help protect your most important accounts, which is why you should activate MFA on your AWS root user.
The root user has complete access to all AWS services and resources in your account, including your billing and personal information.
You should securely lock away the credentials associated with the root user and not use the root user for everyday tasks.
To ensure the safety of the root user:
*Access keys in AWS are like special codes made of an ID and a key that grant access to your AWS account, but we don't use them to log in! That's what passwords and MFA are for. Developers use access keys in their code to give their code the power to control their account. If someone else gets your root user access keys, they could use them in code to take over your AWS account, which can lead to security problems and unauthorised changes.