In Chapter 2, Deploying Your First Web Application, we created our first IAM user. We generated its access key and gave the user full access to the AWS account by assigning the Administrator access policy to that user.

This worked great as we managed to get through most of the book using that user but from a security standpoint, there are a number of concerns that this action caused:

• There is no policy around enforcing the use of a strong password.
• We didn't put our user in a group. On a small scale, that's fine but if you ever expect to have to manage a bigger pool of AWS users, having your users be a part of a group and granting the permissions to the groups instead is a better pattern.
• We turned on MFA to access the AWS console with our users but the access key provides the same level of permissions and currently has no restriction.

We will address those three points, starting with creating a password policy.