Following Identity and Access Management Best Practices
Trusted Advisor includes two checks related to IAM for accounts without a support plan. They are the IAM Use check and the MFA on Root Account check. In this lab step, you will familiarize with both.
1. Scroll through the Security Checks until you locate the IAM Use check:
This check determines if your account has any IAM users. If there are no IAM users, the root account is used for all AWS actions. Because the root account is allowed to do almost anything, the best practice is to create IAM users with only the permissions they require. The Cloud Academy Lab environment has created the student IAM user that you signed in with. student's permissions include only the permissions needed to complete the Lab. Because the student is an IAM user, the Trusted Advisor detected no problems with this check.
2. Scroll through the Security Checks until you locate the MFA on Root Account check:
This check determines if multi-factor authentication (MFA) is enabled on the root account. MFA requires a factor in addition to the root password to authenticate. The check result recommends action because MFA has not been enabled on the root account. As previously mentioned, the root account can do almost anything and should be carefully controlled. You don't have access to the root account but you can enable MFA for the student account. A similar process would be used for the root account. The next Lab Step walks you through the process of enabling MFA on your student account. If you have not performed this task before you may want to try it. However, it is not required for subsequent Lab Steps and will not affect your Lab experience.
Note: The student user doesn't have permission to see the root account's settings. However, through Trusted Advisor a user can access information about your AWS environment they would not be able to access otherwise. It is important to be cautious when granting a user access to Trusted Advisor.
In this lab step, you reviewed the two Trusted Advisor security checks related to IAM. You won't be able to resolve the MFA on Root Account recommendation but can enable MFA on the student account in the next lab step if you choose to.