Secure Creation of Root Account and IAM Administrator User in AWS
Delegating with Security: The Initial Flow in AWS IAM
This diagram is not just a set of technical steps. It reflects how to start properly in AWS: with intention, with security, and by following best practices.
Everything begins with the Root user, the master access that should never be used for daily operations. We protect it with MFA because it is the most sensitive point. Then, we delegate. We create a user called IAM-Administrator, who will actually manage the environment. Separated from Root, with well-defined privileges, and also with MFA enabled. Because even the most privileged users must operate under double verification.
This diagram represents a conscious decision: it’s not just about connecting, but about delegating with confidence, protecting our account, and auditing with clarity.
A secure architecture begins not with commands, but with criteria.
IAM Lab: Secure Creation of Root Account and IAM Administrator User in AWS
🔐Stage 1: Initial Setup of the Root Account
Step 1: Create a new Root account using a valid email.
https://signin.aws.amazon.com/signup?request_type=register
Step 2: Define secure credentials known only to the Root user.
Step 3: Select a payment plan (avoid the free plan to enable full access to services).
Step 4: Complete personal details for the Root account holder.
Step 5: Register a valid credit or debit card to activate the account.
Step 6: Verify identity via a code sent to the associated email.
Step 7: Once validated, access the billing console to confirm account activation.
🔐 Stage 2: Enabling MFA on the Root Account
Step 8: In the IAM console, notice the security alert recommending MFA activation. Select “Add MFA.”
Step 9: Choose the authentication method:
-Passkey or Security Key: A physical device connected via USB or NFC.
-Authenticator App: A mobile app (e.g., Google Authenticator) that generates temporary codes.
-Hardware TOTP Token: A physical key that displays one-time codes offline.
In this lab, we select Authenticator App.
Step 10: Scan the QR code with the Authenticator app and enter the temporary codes.
Step 11: Confirm successful MFA activation on the Root account.
👤 Stage 3: Creating the IAM Administrator User
Step 12: Create a new IAM user to delegate administration, following the principle of not operating directly with Root.
Step 13: Assign the name IAM-Administrator to the new user.
Step 14: Attach the AdministratorAccess policy, granting full permissions over AWS services.
Step 15: Add tags for traceability and governance, for example:
-Owner: Root
-Project: Administrator
-MFAEnabled: Yes
Step 16: Confirm successful creation of the IAM Administrator user.
En otra ventana posterior, nos enfocaremos en el Usuario Administrator.
🔑 Stage 4: Access and Configuration of the IAM Administrator User
Step 17: Sign in with the new IAM Administrator user.
Step 18: Set a secure password that complies with AWS guidelines.
Step 19: Confirm successful login with the new credentials.
Step 20: Access the IAM service to continue security configuration.
Step 21: Notice the alert recommending MFA activation for the IAM user.
Step 22: Repeat the MFA activation process using the Authenticator app.
Step 23: Scan the QR code and enter the generated temporary codes.
Step 24: Confirm successful MFA activation for the IAM Administrator user.
Step 25: Validate that the user complies with the established security policies.
Step 26: Verify that the IAM Administrator user was created correctly from the Root account and is ready to operate securely.
🧠 Final Reflection
This flow not only follows AWS security best practices, but also establishes a solid foundation for any cloud architecture.
Delegating, protecting, and tagging are actions that define a conscious architect.
Top comments (0)