If you’ve ever had to reset your AWS account password, you know it’s a pain. But it’s worth it to keep your account secure. Here’s how to do it:

  1. Log in to your AWS account.
  2. Click the “Account” link in the top left corner of the page.
  3. Under “My Account,” click “Reset Password.”
  4. Enter your new password and confirm it.
  5. Click “Reset Password Again” if you made a mistake in your new password. ..

The real answer here is multi factor auth (MFA). You are crazy if you don’t have MFA enabled in your AWS account. So let’s get started.

Go to https://aws.amazon.com/security/faqs/ and verify that it still works after the recent S3 outage and whether or not they’ve properly addressed the flaw I reported back in early 2016 which would let people hijack other users’ accounts remotely without needing their secret key, just needing a valid access key to create new creds for whoever you wanted to take over via Cloudfront signed URL spoofing attack .. no? ok then.. moving on..

Take note of your default phone number (the one on the far left) as you may need it shortly after clicking enable. You can always change it later if you’d rather register your phone instead or use Gmail Authenticator. But for now just type in this quick code : 21495730# and hit continue. You should get a text message that says “Authentication Code”. Put that into the input field, then click on next step until you’re at this screen where you set up MFA for all access keys and users.. The trick here is to select everyone for everything except root itself. Sure you can let it send root account codes but you also want to prevent attackers from being able to take over your AWS account, right? Don’t worry you’ll still be able to login normally either way and this is just extra security measures.

This will be fun if you have a lot of users on your AWS account already who are used to just adding their access key and using it like 1234abcd.. Which brings me to the next step.

If they’re not currently logged into an SSH session then you won’t need them anymore anyways since they’ll all be forced to use MFA now, right? You should not have any existing access key that doesn’t expire within days at best if you chose the recommended settings in the previous screen.

Start by finding all of the users on your AWS account via this command… aws iam list-users –query “Users[].[Arn]” –output text Make sure to replace [ARN] with whatever user arn you’re trying to find and add | grep -v primary|grep -v “^$” so that you don’t get output looking like this:

You must sign in to the AWS Management Console as a root user of your account.To close your account, you will need to select all check boxes and then click Close Account.

If you see the IAM sign-in page, choose “Sign in using root user email” near the bottom of the page. This returns you to the main sign-in page. From there, you can click “sign in as root” and enter your AWS account information.