Performing tasks with root user credentials opens AWS to potentially catastrophic security vulnerabilities. Creating and managing access keys mitigates the risk.
Best practices for Amazon Web Services (AWS) dictate that you should not perform basic everyday tasks using the original root user credentials created when you first registered your AWS account. Root user credentials allow access to everything in your AWS system, without any restrictions, creating a potentially catastrophic security vulnerability.
One way to mitigate this risk is by creating an Identity and Access Management (IAM) user with administrative privileges. A second method for mitigating this security risk requires that you create new access keys for the root user and then delete the old access keys. Combing the generation of new access keys for the root user with the creation of administrative IAM users and groups is the most effective way to secure high-level AWS access.
This tutorial shows you how to generate new access keys for the root user using the AWS console. It also shows you how to delete the old access keys once new keys are generated.
SEE: Amazon Web Services: An insider’s guide (free PDF) (TechRepublic)
Create an access key for the root user in AWS
To create an access key for the AWS root user, you will first have to log in to the AWS system using the root user credentials. If you typically use an administrative IAM user as is best practice, you may have to click the appropriate link to reach the correct login screen.
At the AWS console (Figure A), click on your account name to reveal a dropdown menu and select the My Security Credentials item.
You will likely see a warning message about using root user credentials (Figure B) and suggesting the use of an administrative IAM user. For this situation, click the Continue button to proceed.
Click the down arrow on the Access keys section to expand it and note the warnings (Figure C). You are not able to retrieve existing secret access keys for the AWS root user account.
Click the Create New Access Key button and take note of the description (Figure D). You have this one opportunity to either view or download your access keys—miss this opportunity, and you will not be able to view or download them ever again.
The download file comes in the form of a .CSV, which can be read by Excel or a text editor. Be sure to save your root user access keys in a safe and secure place.
As you can see in Figure E, there is now an access key listed on the Credentials screen. From here you can delete the key when it is no longer in use or make it inactive if you prefer. Inactive keys can be reactivated when needed eliminating the need to create new keys.
With an active set of access keys, a user can sign programmatic requests for AWS services. For example, when you write custom code to send HTTP requests to AWS, you need to include code to sign the requests with active access keys. Requests will be blocked without the signature—a simple but effective security measure.