🔒 Beginner’s Guide to AWS IAM Hardening

⭐ Why I Built This Project (Part 1 — IAM Hardening)

Instead of studying cloud security concepts in isolation, I’m using real job descriptions as a roadmap and building hands-on projects that map directly to what employers expect in day-to-day cloud security roles.

When reviewing cloud security, cloud operations, and security engineering job postings, the same foundational skills appear repeatedly. This 6-part project series is designed to build those skills progressively through practical, portfolio-ready labs.

This series focuses on real-world responsibilities such as:

Identity hardening and MFA enforcement
IAM governance and access reviews
Continuous monitoring of cloud resources
Log analysis, audit readiness, and evidence gathering
Guardrails at scale using AWS Organizations and Service Control Policies (SCPs)

Each project emphasizes hands-on implementation, not just theory, and mirrors how security controls are applied in real AWS environments.

📌 Project Sequence Overview

👉 Part 1 — AWS IAM Hardening (this project)

Establishes a secure identity foundation by:

Securing the root account
Enforcing MFA
Strengthening password policies
Applying least-privilege access
Auditing identities using CloudTrail and credential reports

👉 Part 2 — Cloud Security Posture Management (CSPM)

Builds on the identity foundation by introducing:

AWS Security Hub and AWS Config
Misconfiguration detection
Posture evaluation against security standards
Enterprise-style governance patterns

🔐 Why This Progression Matters

Modern cloud security programs are layered by design:

Identity first → Posture second → Threat detection next.

Without a strong IAM foundation, posture management, threat detection, and incident response controls become far less effective. This first project intentionally focuses on IAM hardening to set the stage for everything that follows in the series.

A hands-on portfolio lab covering IAM hardening basics.

Introduction
What You’ll Build
Lab Setup
Step 1 — Create an IAM Admin User
Step 2 — Enable MFA for Root & Admin
Step 3 — Strengthen the IAM Password Policy
Step 4 — Create Billing & Finance Groups
Step 5 — Enforce MFA Using Service Control Policies (SCPs)
Step 6 — Validate MFA Enforcement
Step 7 — Configure & Verify CloudTrail
Step 8 — Inspect CloudTrail Logs in S3
Step 9 — Generate the IAM Credential Report
Step 10 — Before/After Hardening Comparison
Optional — Billing Conductor & Real-World Finance Modeling
Troubleshooting Guide
Cleanup to Avoid Charges
Credits

1. Introduction

AWS Identity and Access Management (IAM) is one of the most important skills for any cloud engineer or cloud security analyst.

In this beginner-friendly project, you’ll harden an AWS account using real cloud security techniques:

Multi‑Factor Authentication (MFA)
IAM Groups & Roles
Strong Password Policies
Service Control Policies (SCPs)
CloudTrail auditing
IAM Credential Reports
Billing & Finance Access Controls

This guide mixes friendly explanations and technical depth, perfect for beginners building a portfolio.

2. What You’ll Build

By the end of this lab, you will have:

A secured AWS root account
Admin users protected with MFA
Billing + Finance access modeled like a real company
An MFA-required SCP that blocks API calls without MFA
CloudTrail logging all management events
IAM Credential Reports showing weak vs hardened states
Before/after screenshots for your portfolio

3. Lab Setup

All you need:

AWS Free Tier account
A phone with an authenticator app
Browser
Optional spreadsheet for credential report review

4. Step 1 — Create an IAM Admin User

Never use the root account for daily operations.

Steps:

Go to IAM → Users → Create user
Name your admin user: test-admin1
Select Provide access to AWS Management Console
Assign to the Admin group
Keep password autogenerated

5. Step 2 — Enable MFA for Root & Admin

MFA increases login security dramatically.

Root account MFA:

Login as root
Go to IAM → Security Credentials
Add Virtual MFA
Use any authenticator app

Admin MFA:

Repeat the same steps under the user’s security credentials.

6. Step 3 — Strengthen the IAM Password Policy

Before hardening:

After hardening:

The improved settings:

14–character minimum
Require uppercase, lowercase, number, symbol
Expire passwords after 45 days
Prevent last 6 password reuse
Require admin reset

Note: You’ll find password policy in the IAM dashboard, under Account Settings.

7. Step 4 — Create Billing & Finance Groups

If you are a beginner (like me) using a standard user account, in AWS only the root user has access to customize billing.

To simulate a finance department, you may optionally use Billing Conductor:

Step-by-Step: Create the Billing Conductor Admin Group

Step 1 — Open IAM

Search IAM in the AWS Console

Step 2 — Create a new group

Click User groups → Create group
- BillingConductorAdmins

Step 3 — Attach Billing Conductor IAM Managed Policies

Search for and attach:
- AWSBillingConductorFullAccess
This AWS-managed policy includes:
- billingconductor:*
- Relevant IAM permissions to modify pricing rules, billing groups, pricing plans, etc.
- Full CRUD access for Billing Conductor resources

This is the correct and realistic choice for FinOps/Billing Engineers.

🧠 Quick Summary Table

Feature	AWS Billing	AWS Billing Conductor
Standard monthly bills	✔ Yes	✔ Yes (customized)
Cost Explorer	✔ Yes	❌ No
Budgets	✔ Yes	❌ No
Payment methods	✔ Yes	❌ No
Free-tier usage	✔ Yes	❌ No
Custom pricing/markups	❌ No	✔ Yes
Enterprise multi-account invoicing	❌ No	✔ Yes
Needed for your project?	✔ Yes	❌ No

8. Step 5 — Enforce MFA Using a Service Control Policy (SCP)

What SCPs actually do:

They do NOT block login
They DO block all AWS actions until MFA is used
They apply at the Organizations level

Enforcing MFA at Scale with AWS Organizations (Most Common Modern Method)

Step 1 — Create an AWS Organization

Free
Automatically designates your current account as the management account

Step 2 — Go to “Service Control Policies”

Turn SCPs ON

Step 3 — Create SCP: “Require-MFA-For-All-Actions”

Paste the JSON below.

Step 4 — Attach SCP to the Root OU

This enforces it for ALL accounts.

Step 5 — Test the Behavior

Sign in as a non-MFA user.
Try to open S3 → Access Denied
Try to use CLI → AccessDeniedException

Your MFA Enforcement SCP

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllAPICallsWithoutMFA",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    },
    {
      "Sid": "AllowMFASelfManagement",
      "Effect": "Allow",
      "Action": [
        "iam:ListUsers",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice"
      ],
      "Resource": "*"
    }
  ]
}

Attaching the SCP

You must go to SCP → Targets → Attach
Then select Attach Policy → Root or the account(s) you want to apply the policy.

This is essential for activation.

9. Step 6 — Validate MFA Enforcement

You tested login without MFA:

Expected:

Login succeeds (AWS does not enforce MFA during login)
All actions fail once logged in

This is correct behavior.

10. Step 7 — Configure & Verify CloudTrail

Enable CloudTrail management events:

– 1. Open CloudTrail

AWS Console → search CloudTrail

– 2. Go to “Trails”

Left menu → Trails

– 3. Click “Create Trail”

Choose a Trail name. Example: iam-hardening-trail

Apply trail to all regions: ✔ Yes (recommended)
Management events: ✔ Read/Write
Data events: ❌ Off (not needed for this project)
Insight events: ❌ Off (optional)

– 4. Create (or select) an S3 Bucket

Let AWS auto-create it

Use an existing bucket; Example: cloudtrail-iam-hardening-logs-12345

– 5. Save

Your trail is now active.

Settings used:

Management Events: ON
Read Events: ON
Write Events: ON
No cost for first copy

11. Step 8 — Inspect CloudTrail Logs in S3

You correctly observed:

Logs appear immediately in S3
But object URL access is blocked by design
Even with CloudTrailReadOnly + SecurityAudit, S3 bucket policy must allow object access

12. Step 9 — Generate the IAM Credential Report

Before hardening:

After hardening:

AWS Timing Note

Credential Reports:

Are generated automatically every 4 hours
But can be requested manually
May not update instantly due to eventual consistency

Note: The above images represent user additions only. Users have been removed post project. This is a single account enterprise approach.

Users will need to login and activate / setup MFA

Never expose access keys

Be careful about exposing account info, immediately remove / disable accounts after testing

13. Step 10 — Before/After Hardening Comparison

You now have:

No unused access keys
MFA enabled
Strong password policies
SCP enforcing MFA
Billing access restricted
CloudTrail logging everything
Credential Report shows secure posture

Note: Your results may be different. I have existing test / project accounts.

14. Optional — Billing Conductor Overview

Billing Conductor is used to:

Group accounts for billing
Apply discounts/markups
Model finance departments

You tested pricing rule creation:

15. Troubleshooting Guide

❗ CloudTrail logs visible but cannot open object URL

Expected. Bucket policy blocks access.

❗ SCP attached but login not requiring MFA

Correct. SCP works at API level, not login.

❗ Credential report missing new users

Wait 5–20 minutes or re-request.

16. Cleanup to Avoid Costs

Delete CloudTrail trail
Delete S3 log bucket
Delete Billing Conductor rules
Remove test IAM users
Remove SCP
Remove MFA from test users
Remove IAM groups you created

17.🤝 Connect

If you enjoyed this article or you’re also learning DevOps, Linux, Security, or Cloud automation, I’d love to connect, share ideas, and learn.

💬 Feel free to reach out or follow my journey on 👉 LinkedIn