AWS Identity and Access Management (IAM) is a web service that enables you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. With IAM, you can control who is authenticated (signed in) and authorized (has permissions) to use resources. This article will discuss “MFA on Root Account: Create a User on AWS and Register MFA”. Please see Microsoft Azure Multi-Factor Authentication (MFA), and how to “Roll out Multi-factor Authentication – Recommendations“.

Note: If you have stopped using AWS for a while, precisely from mid-2021. A lot have changed since then. Kindly take a look to how IAM users were managed in the past.

The New IAM Identity Center!

You must have noticed that the creation of IAM users that access the AWS console changed to being managed in Identity Center instead of regular IA. This transition occurred gradually starting in mid-2021. Previously, individual IAM users would be created directly in IAM and assigned permissions to access the AWS Management Console.

Now, Identity Center acts as a central point of administration and user management. When Identity Center is set up, IAM users are no longer created directly in IAM. Instead, workforce identities like users and groups are brought into Identity Center from an identity provider like AWS Directory Service, Microsoft AD, or Okta etc. I will show you how all these are done in the future.

The regular IAM behaviour has changed a few times over the years. Some key changes include. In October 2020, newer API actions were introduced for IAM Identity Center authorisation. Instances created before this date continue to support both old and new API actions, while instances created after only support the newer actions.

Similarly in November 2023, some IAM Identity Center API operations were renamed. Instances created before this date support both old and new names, while newer instances only support the new names.

Also, see the steps to create “Profiles for your AWS Access Credentials for AWS Toolkit in Visual Studio“, and “What you need to know before integrating on-premise AD with Azure Active Directory and MFA.

How are IAM Permission managed?

Permissions are managed through Identity Center using permission sets that determine which AWS accounts and services a user or group can access. Identity Center also acts as the single sign-on point to provide consolidated access to assigned AWS accounts and other cloud applications.

This change provided a more centralized and streamlined workflow for managing access across multiple AWS accounts and other services. It allowed leveraging existing identity stores and assigning permissions at the group level for easier administration.

Why Protect the Root Account?

This is done to enhance the security of your root user credentials. AWS recommends activating multi-factor authentication (MFA) for your AWS account. This is because, the root user can perform sensitive operations in your account. Adding an additional layer of authentication helps secure your account.

Here are some interesting articles: How to Disable Automatic Opening of Previous Files in Notepad on Windows 11, how to Enable or Disable hibernation: How to fix the missing fast startup option on Windows, and how to Make Your Taskbar Completely Transparent on Windows 11.

Configure MFA on the Root Account

From the AWS Management Console, click on All Services and under Security, Identity and Compliance. Click on IAM As shown below.

Note: You need to sign in to the AWS management console using the account root user credentials

As you can see below, there is already a MFA warning! To mitigate this. we would have to Add an MFA to the Root Account. Click on Add MFA.

On the select MFA device, choose anyone of your choice. I will be going with the first option. Click Next to Continue

If you have the option of scanning QR code, click on Show QR code and scan it to proceed with the set up. You can also set it up using the secret key. Click on show secret key, copy the key, and set up the MFA device.

Also, you will have to provide two consecutive MFA codes and click on Assign MFA. This will set up the MFA device

Create an IAM User Account in AWS

If you remember, AWS recomends creating an IAM user with Cosole Access via the Identity Center. Let’s see what happens when you try to create an AWS console user via the IAM instead of the IAM Identity Centre.

Note: This step can be used to create a programatic IAM user. I will show you these steps in the future when we start working with Access Keys. Therefore, we will not be creating Access keys now. It is worth pointing out that AWS Identity and Access Management (IAM) is a features of your AWS account offered at no additional charge. In order to learn more, I will advise you to take look at this AWS documentation.

If you would want to create access keys, you could do this from here. From the AWS Management Console, click on Users!

As we have mentioned numerous times above. You could create a user with console access directly from the IAM. But, you can only do this now for pragmatic access. To see the behaviour now, click on Create user from the IAM service.

As you can see beolow, AWS recommends that you use Identity Center to provide console access for your users. With Identity Center, you can centrally manage user access to their AWS accounts and cloud applications. Click Next to proceed

As you can see, you will be redirected to the Identity center.

Click on Manage in Identity Center.

Create a IAM User via AWS Identity Center

AWS IAM Identity Center previously known as the AWS Single Sign-On is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your workforce users, also known as workforce identities, consistent access to multiple AWS accounts and applications.

Note: The main difference between the two is that IAM users are granted long-term credentials to your AWS resources while users in IAM Identity Center have temporary credentials that are established each time the user signs-in to AWS.

As a best practice, require human users to use federation with an identity provider to access AWS using temporary credentials instead of as an IAM user. A primary use for IAM users is to give workloads that cannot use IAM roles the ability to make programmatic requests to AWS services using the API or CLI.

Enable IAM Identity Center

When redirected or When you access IAM Identity Center.

You will be required to enable this service. Click Enable. Note; You will have to sign into the AWS Management Console as the account owner (Root user) in order to be able to enable this service.

Note: AWS Organizations supports IAM Identity Center in only one AWS Region at a time. To enable IAM Identity Center in this Region, you must first delete the current IAM Identity Center configuration in the US East (N. Virginia) Region. AWS Organizations is available to all AWS customers at no additional charge.

Select Enable with AWS Organisation, and click Continue.

Optional: Confirm Identity Source

If you wish to change the identity source, do this from here. You have to select the right region.

Note: AWS Organisations supports IAM Identity Center in only one AWS Region at a time. To enable IAM Identity Center in this Region, you must first delete the current IAM Identity Center configuration you have created in a different.