Security

The e-mail and password you have used to open an AWS account are called your root credentials. They give you root access to every AWS service, which means unlimited access to unlimited resources. Someone obtaining your root credentials without your knowledge could rack up a heavy bill and they could carry out all types of activities through your account in your name. It is highly recommended not to use this root access in your everyday operations with AWS and to set up your account with the highest security level possible.

Fortunately, AWS offers many ways to control and compartmentalize access to your AWS account through users, groups, roles, policies, passwords, and multi-factor authentication to reduce risks of unlawful access and fraud. Configuring and managing access to your account is done via the AWS Identity and Access Management (IAM) service. The IAM service is free of charge.

The IAM service allows you to create and configure all the access points to the different AWS services you plan to use. Having this level of granularity is important. You can restrict access by user, by service, by role, or even enable temporary access through tokens, which are limited in time. Enabling multi-factor authentication is another strongly recommended feature you should enable in order to prevent unauthorized access to your AWS account.

In the context of this book, we will create a single user with unlimited access to only two services: Amazon ML and S3. We will extend this user's access to other AWS services as we need them in following chapters.

We won't go through all the features offered by IAM here, but it's strongly recommended that you familiarize yourself with the IAM documentation and best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).