Securing your AWS root Account with Yubikey

When you create an AWS account, a default sign-in identity is also created and associated to the account with full access to all of the AWSresources and services within the account. This account is known as the root user account and uses the email address along with the password you set when the account was created. Following AWS security best practices, you should use your root account to create an IAM user account following the least privileges principal and simply treat the root user account in emergency/last resort scenarios. There are very few actions in AWS requiring access from the root user account which can be found here.

Additional security precautions should be taken to secure the AWS root user account. AWS now allows the use of a Yubikeysecurity key (hard token manufactured by Yubico) as a 2FA device for the root user account. The steps listed below will walk you through the process of adding multi-factor authentication to your root account:

Step 1: Log into the account as the root user. Once logged in, Click the account name in the top right hand corner of the screen, and select “My Security Credentials” from the dropdown list. You should see a screen similar to below:

Step 2: Select the multi-factor authentication dropdown and click the “Activate MFA” button. A new window will pop up similar to below. Under the “Choose the type of MFA device to assign” options, select “U2F security key” and click continue.

Step 3: Insert your U2F key as shown in the example below:

Step 4:  If successful, you will see a “setup complete” message like so:

Step 5: In order to test the configuration, simply log out and log back in using the new yubikey associated with the root account or open an incognito window and login using the Yubikey for 2FA. This should keep your original session active while testing the new 2FA method avoiding potential lock out issues.

That’sit! You should now have one of the most secure methods of multi factor authentication associated with your root account. This same process can be followed to add a U2F hard token security key as the 2FA method to any IAM user account.