DEV Community: Rian Brooks-Kane

How to Centrally Manage AWS Root Access: Best Practices for Enhanced Security and Governance

Rian Brooks-Kane — Sat, 18 Jan 2025 05:48:16 +0000

Do you manage more than one AWS account? If you’re following AWS’s best practices for multi-account design, chances are you have several accounts—all managed under an AWS Organisation. You’ve likely gone into each account to configure a strong password and enable Multi-Factor Authentication (MFA), guided by alerts from AWS Security Hub.

This approach, however, can become unwieldy and time-consuming, especially when provisioning new accounts.

Fortunately, AWS has introduced new features to make this process centralised, automated, and more secure.

💡 What is AWS Root Access, Root Account, or Root User?

It’s simply the email address you used to create your AWS account. This account has unrestricted access to all resources and settings, making it critical to manage securely.

Introducing AWS’s New Centralised Root Access Management Capability

By leveraging AWS Organisations, we can now centrally secure the root user credentials across all AWS accounts within the organisation. This new capability enables us to:

Eliminate root user credentials in member accounts, removing the risk of long-term privileged credentials.
Streamline the creation of secure AWS accounts from the outset, avoiding the need to configure a password and MFA for each new account.
Prevent the "forgot password" recovery flow for root users, stopping unauthorised attempts to gain access to the account.
Use a single root user and MFA key for all accounts, simplifying management and enhancing security.

How to Centralise Root Access Management

To enable centralised root access management, follow these steps:

Log in to your AWS organisation’s management account (the top level account in your AWS organisation).
Go to the IAM Dashboard and then Root access management

Click Enable

For Capabilities , enable both Root credentials management and Privilege root accounts in member accounts.

While optional, I highly recommend enabling this step. It allows you to designate a second AWS account (another root user) to have delegated access to manage centralised root access controls.

For this, select a security-focused account or the account where you typically manage administrative functions. This adds an extra layer of security and redundancy, ensuring your centralised controls remain accessible even if there’s an issue with the primary account.

Click Enable

Now that everything is enabled, if you want to change any of the settings that you configured, you can do this from the Account Settings page.

Actions Available with Root Access Management

After enabling Root Access Management, you can perform privileged actions on your member root accounts. As this is a new feature, the available actions are currently limited, but AWS plans to expand these options in the future.

💡 Before the introduction of the Root Access Management feature, these actions required logging in with the root user credentials directly. Now, with centralised delegated access, they can be performed securely without needing to use the root credentials.

At the time of writing, the following actions are supported:

Delete S3 Bucket Policy: If an S3 bucket policy is misconfigured and denies access to users within your account, the root account can delete this policy to restore access.
Delete SQS Queue Policy: Similar to S3 bucket policies, this allows you to delete misconfigured SQS Queue policies that block access.
Delete Root User Credentials: Remove the root user credentials from an account, eliminating the risk associated with long-term privileged credentials.

Deleting Root User Credentials

On the Root Access Management console, locate the account for which you want to remove the root user credentials. Then, select Take Privileged Action.

Select Delete Root User Credentials. You’ll be provided with a report showing whether the root console password or access keys have been used. Once you’ve reviewed the report, click Delete Root User Credentials.

The console will now indicate that this account no longer has root user credentials present.

Repeat this process for each remaining account until the root user credentials have been removed from all member accounts.

Things to know

Here are a few important things to know about Root Access Management.

New AWS Accounts

When you create new accounts through AWS Organisations, they will automatically be created without root user credentials and will be managed by Root Access Management.

Root User Access

If you need to perform an action that requires root user access in a member account, you can temporarily enable Allow Password Recovery for the account using the Take Privileged Action menu. This will allow you to initiate a password reset request, which will send a reset email to the root account’s registered email address. Its also recommended that you delete the Root User Credentials once your done.

Security Hub

It’s worth noting that Security Hub’s findings and best practices haven’t been updated to recognise this feature yet. As a result, you may still see alerts about the root user account not having MFA enabled.

Final Thoughts on Root Access Management

Centralised Root Access Management simplifies and secures AWS root access across all your accounts. By enabling these features, you eliminate long-term root credentials, streamline account creation, and can perform privileged actions without using the root user account. It’s a small step that delivers significant security and management benefits and well worth implementing today.

Photo by Jason Mavrommatis / Unsplash

How to use Amazon Web Services for Free

Rian Brooks-Kane — Sun, 15 Dec 2024 08:13:00 +0000

Now, I don’t often get asked in the corporate world, “How can I use AWS for free?” (although it has happened), but it’s a question that occasionally comes up at user groups, events, and within the builder community. And it’s a good one! The truth is, you can use AWS for free—at least to a certain extent—but there are a few important rules and limitations you’ll need to understand to make the most of it. Whether you’re a beginner exploring cloud services or an experienced developer looking to test new features, the AWS Free Tier is an excellent way to get started without spending a cent.

What is the AWS Free Tier?

This is where things can get a bit confusing from the start—AWS actually has three types of "free tiers":

1) 12-Months Free

For 12 months (starting from the creation of the AWS account), free usage of specific service usage. Some examples of this today include:

750 Hours of Amazon EC2 per month
5 GB of standard storage Amazon S3
30 GB of Amazon Elastic Block Storage

If you exceed the free usage quotas or your 12-month period ends, standard pay-as-you-go rates apply.

🔗 You can see a list of the specific service usage included under the 12-Months Free tier here.

2) Always Free

Available to both existing and new AWS accounts, this specific service usage is free indefinitely. Some examples of this today include:

25 GB of DynamoDB
1 Million AWS Lambda requests
1 TB of data transfer out with Amazon CloudFront

If you can create a workload that fits within these limits, you will never incur a cost for these services.

🔗 You can see a list of the specific service usage included under the Always Free tier here.

3) Trials

AWS offers short-term free trials for specific services, which start when you first use the service. These trials are ideal for testing new features or services before committing to long-term use. Some examples of this today include:

750 Hours per month, for 90 days of Amazon Lightsail
30 days of Amazon Macie
30 days of Amazon GuardDuty

🔗 You can see a list of the specific service usage available as a Free Trial here.

Devil in the detail

One of the most common pitfalls with the AWS Free Tier is not paying close attention to the details. It’s not unusual to see posts on Reddit from someone who’s received a surprise bill despite believing they were safely within the Free Tier limits.

Take the 750 hours of Amazon EC2 usage per month for the first 12 months as an example. Sounds fantastic, right? And it is—but it comes with some important "rules" that you need to be aware of:

Instance Type and Operating System Restrictions : The free tier only applies to t2.micro or t3.micro instances running on Linux, RHEL, SLES, or Windows. If you launch a different instance type or use an unsupported operating system, those costs will fall outside the Free Tier, and you’ll be billed accordingly.
Multiple Services in Use : Here’s where things get a bit tricky, particularly for those new to AWS: the service you’re using is often made up of multiple underlying services.
- While the Free Tier provides 750 hours of EC2 usage , it doesn’t automatically include storage.
- Fortunately, the Free Tier includes 30 GB of Amazon Elastic Block Storage (EBS). However, if your storage exceeds 30 GB or you use additional EBS features—such as more than 1 GB of snapshots—you’re no longer covered under the Free Tier and will start incurring costs.

💡 Before you create or launch a service, take a moment to understand all the components that make up the service and whether each is covered under the Free Tier. This small step can save you from unpleasant surprises when the bill arrives.

AWS Free Tier and AWS Organizations

A common question I get in the corporate world is: How do the AWS Free Tiers work within an AWS Organisation? Especially for things like lab and sandbox accounts. Here’s how it works:

Single Account Eligibility : Only one account within the AWS Organization can benefit from the Free Tier offers (The Management Account).
Aggregated Usage : Usage across all accounts in the AWS Organization is aggregated under consolidated billing. This means that the combined usage of all member accounts counts towards the Free Tier limits.
Eligibility Start Date : The Free Tier eligibility for all member accounts begins on the day the management account is created. If the management account’s Free Tier period has expired, none of the member accounts will be eligible for Free Tier benefits, even if they’re newly created.

Tips to Stay within the Free Tier

Here are some good ways to stay within the Free Tier and reduce the chance of getting a unexpected bill.

Monitor your usage

AWS provides an excellent dashboard to help you track your Free Tier usage. You can find it in the Billing and Cost Management console under Cost and Usage Analysis. This tool is a great way for ensuring you stay within your Free Tier limits and avoid unexpected charges.

🔗 You can access the Free Tier usage dashboard directly via this link: AWS Free Tier Usage Dashboard.

Alerts

There are two good built in ways to get usage alerts for the Free Tier.

AWS Free Tier Usage Alerts

AWS automatically notifies you when you exceed 85 percent of your Free Tier limit for each service. However, it’s a good idea to check that this feature is enabled in your account. Here’s how to do it:

Open the Billing Console : Go to the AWS Management Console and navigate to the Billing console.
Access Billing Preferences : Under User Preferences , click Billing preferences.
Edit Alert Preferences : Look for the Alert Preferences section and click Edit.
Enable Free Tier Alerts : Ensure the option Receive AWS Free Tier alerts is enabled.

💡 You can also specify an email address different from your root account email. I'd recommended this to ensure Free Tier notifications don’t get lost in other account-related emails.

AWS Budgets

In addition to Free Tier usage alerts, i'd recommended to configure AWS Budgets to notify you if you start incurring costs. You can easily do this using the Zero Spend Budget template. Here’s how:

Open the Billing Console : Go to the AWS Management Console and navigate to the Billing console.
Navigate to Budgets : In the navigation pane, select Budgets.
Create a Budget :
- Click Create a budget.
- Select Use a template and choose the Zero Spend Budget template.
- Enter your preferred email address for receiving alerts.
- Click Create budget.

By setting up a Zero Spend Budget, you’ll be alerted if you exceed your Free Tier and start spending money.

💡 It’s important to note that there can be a delay between when charges are incurred and when you receive a notification. This delay occurs due to how AWS billing operates, meaning it’s possible to accrue additional charges before the alert reaches you.

Final Thoughts

The AWS Free Tier is a fantastic way to explore AWS, experiment with new ideas, learn and even run small-scale workloads without spending a cent. However, like any powerful tool, it comes with rules and limitations that you need to understand to avoid surprises. Don't be that next post on Reddit!

Cover Photo by Fabian Blank / Unsplash