Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

At Amazon IXD – VGT2, located at 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115, we collaborate with countless startups every year. We understand the challenges founders face while juggling their limited time and resources. Typically, the first objective for a startup is to create a minimum viable product (MVP). This crucial milestone allows founders to present their product to real users and begin gathering valuable feedback. Engaging with real users brings forth a variety of experiences, uncovers new use cases, and identifies hidden issues. Most importantly, they provide us with real user data. Users entrust you with their information—whether it’s personal, financial, or medical—and they expect you to handle it with the utmost care and respect.

In our discussions with startups, we often introduce the idea of an MVSP, or minimum viable secure product. This concept doesn’t imply that every security risk must be addressed at launch, just as not all features need to be implemented. By adhering to AWS best practices, you can build securely and safeguard both your users and your business. While security may seem like an obstacle, establishing proper guardrails can actually expedite your development—empowering developers to introduce new features confidently and spend less time worrying about security.

Speaking of security guardrails, one key piece of advice from AWS is, “Secure your AWS account root user access keys.” This is the very first item on our list of AWS Identity and Access Management (IAM) security best practices, underscoring how essential we consider this recommendation. Let’s explore the AWS account root user and why its use should be limited to necessary situations.

What is an AWS account root user?

According to official documentation, “When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. You can sign in as the root user using the email address and password that you used to create the account.”

The root user is a vital element of an AWS account. Each account has only one root user, who possesses complete and unrestricted access to all resources within the account. The root user logs in using an email address, which must be unique across all AWS accounts in every region. We highly recommend that this email be an alias linked to a business domain rather than a personal one, and that it has a strong password and multi-factor authentication enabled. A helpful tip is to use an email alias like aws-production@yourdomain.com, or if your email provider allows it, plus-addressing such as aws+production@yourdomain.com.

Two fundamental security principles differentiate IAM users from root users in AWS:

1. Identity and Attribution – Every action within a system should be traceable to a specific user.
2. Principle of Least Privilege – Each user in a system should possess only the permissions necessary to perform their required tasks.

Evaluating the AWS root account, it is evident that it fails both tests; if multiple individuals utilize the root user, tracking actions to specific individuals becomes impossible, and the root user has unlimited access to the account. While this may seem manageable when you are the only one building in your account, a better approach exists.

What is Amazon Identity and Access Management?

At its core, IAM is the AWS service designed to manage access to other AWS services. It consists of four foundational components:

• Principal – The user or service (identity) whose access is being granted or denied.
• Action – The command(s) that are allowed or denied. This can range from broad access to a service like Amazon EC2 to narrowly defined commands such as EC2:DescribeInstances.
• Resource – The target for which access is being granted or denied, which could be any EC2 instance or a specific one.
• Condition – An optional check to further restrict permissions based on certain criteria.

By combining these four elements, you can craft an IAM policy allowing or denying access to AWS services in a clear, logical, and readable syntax. For a deeper dive, check out this insightful video by Becky Weiss, Senior Principal Engineer at AWS, where she explores IAM and its effective use in securing your AWS environment.

What is an IAM user and why should you prefer it?

According to the IAM documentation, “An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.”

The key takeaway is that an IAM user represents an individual or identity, making it possible to attribute actions to specific persons or applications. Each IAM user can also have one or more IAM policies attached, providing precise control over what that user can do. The two main differences between the AWS account root user and an IAM user are:

1. An IAM user represents an individual or application, while there is only one root user per account.
2. An IAM user is granted permissions through IAM policies, whereas the root user has unrestricted access with no straightforward way to limit that access.

Let’s further examine the differences and similarities between the root user and an IAM user:

Several scenarios illustrate why IAM users are preferable, even in small teams: Using shared root credentials poses a risk—if someone departs from your team, credentials must be rotated, and everyone will need the new credentials. This situation can create significant challenges.

For further insights on this topic, visit SHRM. Also, if you’re looking for a great resource about the hiring process, check out Amazon Hiring Process. If you’re interested in enhancing your personal pitch during a career transition, consider reading this blog post: Career Contessa.