AWS hands-on documentation change
Summary
Entire module content replaced with a brief note about multiple AWS accounts managed through AWS Organizations, including a link to external documentation.
Security assessment
The change replaces detailed security instructions with a simplified reference to external documentation. While the referenced documentation contains security content, the change itself doesn't address any specific vulnerability or weakness.
Diff
diff --git a/hands-on/latest/setup-environment/module-two.md b/hands-on/latest/setup-environment/module-two.md index 6a9d7fc93..6750e7c9b 100644 --- a//hands-on/latest/setup-environment/module-two.md +++ b//hands-on/latest/setup-environment/module-two.md @@ -7 +7 @@ -OverviewImplementationConclusion +Overview @@ -9,11 +9 @@ OverviewImplementationConclusion -# Module 2: Secure Your AWS Account - -**Time to complete** | 15 minutes ----|--- -**Module requirements** | - - * An internet browser - * An AWS account - - -**Get help** | [Troubleshooting IAM issues](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html) +# Module 2: (Optional) For Multiple AWS Accounts Managed Through AWS Organizations @@ -23,534 +13 @@ OverviewImplementationConclusion -When you create an AWS account, a root user is created automatically for your account. The root user is a special entity that has full access to the account, and can perform all actions, including changing the payment methods or closing the account. When you sign-in using the root user you have complete access to all AWS service and resources in the account. Due to this level of permissions, we recommend that you: - - * Enable additional security for the root user with multi-factor authentication - - * Set up additional users to perform daily tasks related to your account - - - - -AWS has two identity services: - - * [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/). This service provides access control policies and manages long-term users like the root user. If you create users in IAM, those users have long-term access credentials. As a security best practice, it is recommended that you minimize the use of long-term credentials in AWS. In this tutorial you will not create an IAM user. - - * [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/). This service provides temporary credentials that are granted each time a user signs in for a session. It can integrate with any existing identity providers you might already have, like Microsoft Active Directory or Okta, so that your users can use the same sign on for AWS as they use for other services in your organization. If you don't have another identity provider, you can create users in IAM Identity Center. This is the recommended way to create additional users for your AWS account and is the method we will walk through in this tutorial. - - - - -## Implementation - -The AWS account root user is accessed by signing in with the email address and password that you used to create the account. - - 1. Open the console - -Sign in to the [AWS Management Console.](https://aws.amazon.com/console/) - - 2. Sign in as root user - -Select **Root user** or **Sign in using root user email** (may be one of the two forms due to browser caching), and enter the email address you specified when you created your account and then choose **Next**. - - - - 3. Enter your password - -On the sign-in page, enter your **password** , and choose **Sign in**. - - - - 4. Complete verification - -You may need to confirm your identity. - -Enter the **code** sent to the root user email, and choose **Verify and continue**. - - - - - - -#### Congratulations - -You have just signed in to the AWS Management Console as your root user. But you don’t want to use your root user for everyday tasks. The root user should only be used for specific account management tasks, two of which we are going to do in the next part of this tutorial. - - * Enable MFA for the root user - - * Create an administrative user in IAM Identity Center - - - - -For the complete list of tasks that require you to sign in as the root user, see [Tasks that require root user credentials](https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html). - -To help keep your root user credentials secure, we strongly recommend that you enable multi-factor authentication (MFA) for your root user sign-in. When you enable MFA, in addition to providing the email address and password for the root user you will also provide credentials from another authenticator, making it much more difficult for someone to use your root user credentials without your permission. - -To add more security to the root user sign-in, you will use the AWS Identity and Access Management (IAM) service. For more information, see [What is IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html)? - - 1. View security credentials - -On the right side of the navigation bar, choose your account name, and choose **Security credentials**. If necessary, choose **Continue to Security credentials**. - - - - 2. Add an MFA device - -In the **Multi-factor authentication** section, choose **Assign MFA device**. - - - - 3. Select an authenticator app - -On the Register MFA device page, name the **Device** , choose the **Authenticator app** option, and then choose **Next**. - -**Tip:** You need a mobile device or hardware device to enable MFA. Find out how to get a [free MFA security key from AWS](https://aws.amazon.com/security/amazon-security-initiatives/free-mfa-security-key/). - - - - 4. Set up your MFA device - -Set up the **Authenticator app** on your mobile device. - -Several different authenticator apps are supported for both Android and iOS devices. See the **Virtual authenticator apps** section on the [Multi-Factor Authentication (MFA) for IAM](https://aws.amazon.com/iam/features/mfa/?audit=2019q1) page for a list of supported apps and links to their download locations. - - 1. **Open** the authenticator app on your mobile device. - - 2. Select the **Show QR code** link to show a unique QR code for your account. If you can't scan the QR code, select the **Show secret key** link to display a text key that you can enter into the Authenticator app to identify your account. - -Either **scan** the QR code with your authenticator app or **enter** the code in your authenticator app to **link** your authenticator device to your account. - - 3. After your authenticator has established the link to your account, it will start generating secret codes that are good for a limited number of seconds. In **MFA code 1** , type the code you see in the app. Wait for that code to change to the next code, then type that code in **MFA code 2** , then select **Add MFA** before the second code has expired. - -You are returned to the **Security credentials** page. A notification message is displayed at the top that states the MFA device is assigned. - -Your root user credentials are now more secure. - - - - 5. Verify MFA setup - -You are returned to the **Security credentials** page. A notification message is displayed at the top that states the MFA device is assigned. - -Your root user credentials are now more secure. - - - - - - -It is considered a security best practice to not use your root account for everyday tasks, but right now you only have a root user. In this tutorial, we will use IAM Identity Center to create an administrative user. We are using IAM Identity Center because it provides users with unique credentials for every session, also known as temporary credentials. Providing users these credentials results in enhanced security for your AWS account, because they are generated each time the user signs in. Once you have an administrative user, you can sign in with that user to create additional Identity Center users and assign them to groups with permissions to perform specific job functions. Another benefit to creating users in IAM Identity Center is that the users are automatically granted access to the the [AWS Billing and Cost Management console](https://us-east-1.console.aws.amazon.com/billing/home?region=us-east-1#/). - -For more information about billing, see the [AWS Billing and Cost Management](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html) user guide. - -This section of the tutorial has the following steps: - - * Enable IAM Identity Center - - * Add users - - * Add users to groups - - * Configure your identity source - - * Create an administrative permission set - - * Sign in to the AWS access portal with your administrative credentials - - - - - 1. Open the IAM Identity Center console - -In the search bar, enter ****IAM Identity Center**** , and then select **IAM Identity Center**. - - - - 2. Enable IAM Identity Center - -The **IAM Identity Center service** overview page opens. Review the information to learn about the features of the IAM Identity Center service. - -In the **Enable IAM Identity Center** , select **Enable**. - - - - 3. Enable AWS Organizations - -When you enable IAM Identity Center you also need to enable AWS Organizations. AWS Organizations lets you organize multiple AWS accounts so that you can have separate AWS accounts for different use cases. AWS Organizations is a feature of your AWS account offered at no additional charge. - -Choose **Enable**. - - * The root user is now the management account for the AWS Organization. - - * At this point, AWS Organizations sends a verification email to the root user. Verifying your root user account allows you to invite other accounts to become members of your organization, so you don't need to verify your account before continuing with this tutorial. For more information about account management, see the [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) user guide. - -###### Note - -The verification link is only valid for 24 hours, so if you wait longer than that to verify the email address, you will need to resend the verification email. For more information about how to do this, see [Email address verification](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#about-email-verification). - - - - - - -Your identity source is where your users and groups are managed. After you configure your identity source, you can look up users or groups to grant them single sign-on access to AWS accounts, cloud applications, or both. - -When you enable IAM Identity Center for the first time, it is automatically configured with an IAM Identity Center directory as your default identity source. [Learn more about identity sources.](https://docs.aws.amazon.com/console/singlesignon/manage-your-identity-source) - -Complete the following steps to create a user in IAM Identity Center. - - 1. Open the IAM Identity Center console -