Accounts

After initially signing up for AWS, a default root account is created. AWS accounts function as containers for organizing and isolating cloud resources. For example, deployment environments, such as development, staging, and production, often utilize distinct AWS accounts. In addition, accounts act as a security boundary, ensuring only authorized users and systems can access particular cloud resources. 1

Regions and Availability Zones Regions and Availability Zones

An AWS account has the following unique identifiers:2

  • AWS Account ID: 12-digit unique ID
  • Canonical User ID: Obfuscated form of the account ID. Used when granting cross-account access to cloud resources.

The active account ID can be fetched from the Security Token Service (STS) with the following CLI command:

Command

aws sts get-caller-identity --query Account --output text

Output

123456789012

The command aws sts get-caller-identity fetches the active user information leveraged by the CLI, which includes the user ID, the account ID, and the user access resource number (ARN). The --query flag enables users to target a particular field to output in the response and --output specifies the desired format (yaml, josn, text, etc.) 3 4

The simplest way to fetch the canonical ID is via the Simple Storage Service (S3) API CLI command.

Command

aws s3api list-buckets --query Owner.ID --output text

Output

79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be

  1. https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html ↩︎

  2. https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html ↩︎

  3. https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html ↩︎

  4. https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html ↩︎

Subsections of Accounts

Account Alias

Account aliases are public-facing, globally unique labels to simplify the console sign-in URL.

https://<account_alias>.signin.aws.amazon.com/console/

While the original sign-in URL https://<account_id>.signin.aws.amazon.com/console/ remains active, the account alias may provide a more user-friendly identifier. A single account may have multiple account aliases associated with it.

CLI Overview

Account aliases are managed through the Identity and Access Management (IAM) service and may be provisioned, listed, and deleted using the AWS CLI.

Example 1: Creating an Account Alias

Command

aws iam create-account-alias --account-alias techsquawks

Example 2: Listing Account Aliases

Command

aws iam list-account-aliases

Output

{
    "AccountAliases": [
        "techsquawks"
    ]
}

Example 3: Deleting an Account Alias

Command

aws iam delete-account-alias --account-alias techsquawks

Password Policy

Accounts may optionally be associated with a single password policy which dictates the minimum password complexity for account users, to avoid potentially weak password. Password policies consist of the following components1:

  • AllowUsersToChangePassword: Boolean allowing users to change their own passwords from the AWS console. (Default value: false)
  • HardExpiry: Boolean indicating that users will be unable to reset their password via the AWS Console after their current password has expired. (Default value: false)
  • MaxPasswordAge: The number of days that a password is valid for, no less than 0 but not exceeding 1095 (with 0 indicating that the password never expires). (Default value: 0)
  • MinimumPasswordLength: The minimum number of password characters, no less than 6 but not exceeding 128. (Default value: 6)
  • PasswordReusePrevention: The number of previous passwords that account users are prevented from reusing.
  • RequireLowercaseCharacters: Boolean indicating that passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z). (Default value: false)
  • RequireNumbers: Boolean indicating that passwords must contain at least one numeric character (0 to 9). (Default value: false)
  • RequireSymbols: Boolean indicating passwords must contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ' (Default value: false)
  • RequireUppercaseCharacters: Boolean indicating passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). (Default value: false)

CLI Overview

Example 1: Creating/Updating Password Policy

See here for additional CLI arguments. Fields not specified in the arguments are set to their default values.

Command

aws iam update-account-password-policy

Example 2: Fetch Account Password Policy

Command

aws iam get-account-password-policy

Output

{
    "PasswordPolicy": {
        "MinimumPasswordLength": 6,
        "RequireSymbols": false,
        "RequireNumbers": false,
        "RequireUppercaseCharacters": false,
        "RequireLowercaseCharacters": false,
        "AllowUsersToChangePassword": false,
        "ExpirePasswords": false
    }
}

Example 3: Deleting Account Password Policy

Command

aws iam delete-account-password-policy

  1. https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html ↩︎