Setting up your AWS Account, the right way
This is a guide for anyone who’s new to AWS and wants to set up their account — and be sure they’ve done it the right way. I originally wrote it as part of this tutorial on How to host a Gatsby website on S3 with a custom domain name and SSL, but figured it might be useful (and long enough!) for a standalone post.
We will:
- 1️⃣ Sign up with AWS
- 2️⃣ Set up an IAM Group for admin Users
- 3️⃣ Add a IAM User to the admin Group
- 4️⃣ Install the Command Line Interface
- 5️⃣ Decide on a default region
- 6️⃣ Setup our credentials for the Command Line Interface
- 7️⃣ Make sure we are able to use an SDK
- 8️⃣ Follow AWS’s guidelines for protecting your account
- 9️⃣ Set up an account alias
- 🔟 Set up billing alerts
1️⃣ Sign up: First of all Sign Up with AWS here and follow the steps to create your account. It will ask for billing details, which you will have to enter. However, nothing we do during this guide will cost any money. It’s up to you whether you go on to spend any money with AWS — lots of its services are free, many will cost no more than pennies for hobbyist use, and a huge range of services fall under a “free tier” where new and existing users get a certain amount of use of some services for free. See more details on the free tier here.
2️⃣ Create an IAM Group for Admin Users: You have just created what’s called a “root user”. This is the user that is created when you first create your AWS account. It automatically has permission to do anything on AWS, which is great, but because it’s such a privileged account we want to make sure we protect it at all costs. If you ever lost access to your root user account (I actually did this with my first AWS account, it was extremely annoying) you would not be able to recover your entire AWS account. Imagine if you actually had important infrastructure running in there.
So we’re basically never going to user the root user again, although make sure you keep its login information safely somewhere.
We’re going to create another User who has access to the AWS account, and you’ll log in with that User instead. Trust me, it’s just the right thing to do.
On AWS, we have concepts of Users, Roles, Groups and Policies.
Policies are documents that describe permissions. For example, the “Administrator Access” policy describes the ability to do basically everything on AWS. When you create a User, you can attach a policy to the user(or more than 1) and that’s how you control what that user can do.
Even better, rather than attaching policies directly to a User, we can create a Group, attach the policies to the Group, and then anyone in the group will automatically get those permissions. This is definitely recommended if you are going to be creating users for more than 1 person in a team.
To create an admin Group, search for the service called IAM (Identity and Access Management).
Select Groups on the sidebar, give your group a name such as ‘admin’ and when asked to select a Policy, search for the policy of AdministratorAccess. This will give anyone we add to this group full access to AWS. If you are planning to create users for people other than yourself, you should think twice before making them an admin. Ideally you should give them the least privilege possible to allow them to do their jobs, and no more.
Once done, click Next and Create Group.
Optional: By default, only the root user has access to the Billing Dashboard. It could be useful to grant your admin users access to it so you don’t have to keep logging in as root — if you want to do this, there’s a good AWS tutorial on how to add Billing permission to a group.
3️⃣ Creating an IAM User to add to the group
Now it’s time to add a user for yourself to the group of admins. Select Users from the sidebar, select Create New User and enter your name. Select programmatic and console access, meaning the user will be able to log in to the dashboard AND will be provided credentials so they can interact with AWS through its command line interface or through an SDK.
Choose a password for the user (or let AWS create one), and on the next page add them to the admin group that you just created, and then finalise creating the user. There is no need to add tags at this point.
On the final page you will be presented with the option to download a credentials file. This file contains your password — if you selected an automatically generated password you’ll find out what it is in here. It also contains a an Access Key ID and a Secret Key. We need to use these values for interacting with AWS via its CLI or SDK, which we’ll configure in the next step.
4️⃣ Install the Command Line Interface
To interact with AWS you can either use the console, which is what you’ve been using to create the Group and the User, the command line, or via code. Some things can only be done via the command line, and some things are simply much easier done this way.
In this step we’ll install the Command Line Interface for AWS.
Installing the CLI has a few steps, and can depend on your operating system so I recommend following the official AWS guide on the subject . Note that you’ll need Python installed as a pre-requisite. I would recommend scrolling to the bottom of the page and following the detailed instructions for your specific operating system.
Once you have installed the CLI, close and re-open your terminal and try running
$ aws --version
If it says that the aws command cannot be found, you will need to follow the instructions on the AWS guide to Add the AWS CLI Executable to your Command Line Path.
On the other hand, if the command prints something like this:
aws-cli/1.11.81 Python/3.6.1 Darwin/17.7.0 botocore/1.5.44Then you have installed the CLI correctly.
The CLI basically lets you do anything you can do on the web interface, via the terminal. And more! The docs on the CLI are pretty extensive — check out the list of services you can interact with here. For any given service, you have all sorts of commands that you can use. For example, the list of things we can do with the IAM service is listed on the IAM page of the docs. You can then read about further options for all of the commands.
A simple command you can try is:
$ aws iam list-groups
You would expect it to list that Group we just created, but instead it tells us:
Unable to locate credentials. You can configure credentials by running "aws configure".To actually use the CLI, we need to configure it.
But first, let’s quickly decide what our “default region” should be.
5️⃣ Decide a default region
I’m not planning to go into AWS Regions and Availability Zones here, but in short, if you create any services on AWS you’ll generally have to decide where in the world you want them physically to live. This could be, say, Ireland or Tokyo or Beijing. In principle, closer to your clients is generally better, to save on latency. If you are in need of specific services it might be worth checking out Amazon’s list of offerings available in each region, just in case the service you want isn’t available where you are.
A pretty fun tool is Cloudping, which tells you the latency between where you are, and AWS’s various datacenters!
Anyway there’s no need to overthink it — you can always change your mind later. But it does save a bit of time if we set a default region when we configure the CLI, so we don’t have to keep entering it later on.
Each Region has a kind of reference code, such as “eu-west-1” which is Ireland. Find the code for your desired region by looking at the “region” column in this table.
6️⃣ Setup our credentials for the Command Line Interface
With a default region in mind, run $ aws configure, like it says, and paste in your Access Key and Secret Access Key from the file you downloaded. Type the region you decided on in the previous step. You can leave the default output format for now.
N.B. I have deleted these credentials — there is no way I would share them on the internet otherwise!
N.B.2 You can deactivate/delete your keys any time via the IAM dashboard, and you can generate new ones if you loose them or worry they have been compromised. You should not keep old keys lying around — if nobody is using them, delete them.
This command will have created 2 files: ~/.aws/config and ~/.aws/credentials in which are listed your access keys, and your default region. This is what you need to actually start using the CLI. The CLI will automatically look in these two files when you run any command with it. The credentials are used to gain access to your AWS account, and the config file specifies any other defaults that the CLI might be interested in.
If you run $ aws iam list-groups again, the output this time should be something like this, showing the admin Group we created earlier.
{
"Groups": [
{
"Path": "/",
"GroupName": "admin",
"GroupId": "AGPAJG6XQYWZQ7EAGMS3K",
"Arn": "arn:aws:iam::674027929103:group/admin",
"CreateDate": "2018-11-29T07:31:25Z"
}
]
}Hooray, the CLI is now properly configured! 🎉
7️⃣ Make sure we are able to use an SDK
An SDK (Software Development Kit) is the 3rd way we can interact with AWS, basically via code. This is cool too and has its uses. This step doesn’t really involve you doing anything, because the SDK will automatically read from the credentials file we just configured in the previous step, just like the CLI. However, if you want to try it out, take a look at the SDKs available here and try to do something simple, like listing Groups, with the SDK for your programming language.
For example, in NodeJS, getting a list of IAM Groups looks like this:
const AWS = require('aws-sdk');const iam = new AWS.IAM();iam.listGroups({}, (err, res) => { if (err) console.log(err); else console.log(res);});
8️⃣ Follow AWS’s guidelines for protecting your account
You should still be logged in as the root user at this point — before you log out, try to complete all the points on this Checklist, which can be viewed on the main IAM page:
9️⃣ Set up an Account Alias
This step is not related to security, but it will make your life easier. Before logging out as the root user, follow this guide to creating an Alias name for your account. This will mean you can refer to your account with a friendly identifier, rather than a numeric account ID.
🔟 Set up billing alerts
It’s a good idea to set up alerts for when you spend money on the AWS Platform. Again, AWS has a very good instruction guide for how to do this. I would recommend setting an alarm for when billing goes above a $0 threshold, since at first you should be getting a lot of services under the free tier so you’d ideally want to know when you go above that tier.
You can always change your threshold later if you find you’re getting emails too often. A good alarm should only alert you if you genuinely have a problem or need to look into something, so if it’s too sensitive, change it.
Finally…
You are now ready to sign out as the root user, and sign in as the IAM User you created.
Notice how you can use the friendly identifier (alias) for your account (in my case, it’s harrietryder) rather than the account ID.
And that’s it! The end!
Sorry that was a bit of a marathon, but hopefully you’ve now got a secure AWS account, which you can interact with through the web interface, the command line or code, and you’re ready to start building in the cloud! ☁️☁️☁️
Let me know if you found this guide useful, whether there’s anything else you want to know, if any of the above didn’t work for you. Connect with me on Twitter or follow me on Medium!
🙌
