AWS Account Strategy — a Checklist
At AltoStack, we work with a lot of companies that are new to Amazon Web Services (AWS) and haven’t setup their first AWS account.
This post highlights things you should consider doing when initially creating an account:
1. Email address to register for the account
At first this may seem very basic but putting some thought into it can save you a lot of hassle down the line as your use of AWS increases. When you sign up for an AWS account, the email used becomes associated with the root user who acts as an admin and has full control over all AWS resources created under the account. It’s best to create an email alias/distribution list containing a list that people in the organization that should have root access.
By using an alias/distribution list, you avoid tying down the AWS account to one single person thereby creating a SPOF (single point of failure) when that person is unreachable or leaves the organization. It’s also worth noting that the root user should not be used to access the account bar the first login to setup IAM users for the account.
A good email address might be something like email@example.com or even something that includes the account alias (aws-[account-alias]@company.com).
2. Create the account
With an appropriate email address chosen, it’s now time to go through the process of signing up for an AWS account and enter any necessary billing information. If you plan to have multiple AWS accounts for example to isolate environments or business units, make use of AWS Organizations to ease the creation of subsequent account and take advantage of consolidated billing. As part of setting of Organizations you benefit from consolidated billing, better reserved instance utilization, volume discounts, and policies that can be applied across multiple accounts.
3. Enable MFA for the root user
One of the most important steps we recommend after creating an AWS account even before you begin creating IAM users is to enable MFA for the root user.
With MFA setup, it means any further logins to the account using the root user requires users to authenticate using a virtual MFA device. We advice companies to take a screenshot of the QR code or put it on a mobile device, and store it in a safe place such as an office vault.
4. Decide on an AWS Support Plan
AWS accounts offer a Basic Support plan when you create them. Support plans are unique to each AWS account so if you’ve more than one you’ll need to opt to the chosen plan for each one. Consider choosing a paid support plan for production accounts.
5. Provide IAM user access to billing information
By default, billing information is only made available to the root user. Because this account should rarely be sued, it’s also advisable to activate Identity and Access Management (IAM) user access so that admins or billing groups can access what they need. IAM policies you later create will dictate who has access to it.
6. Set a password policy
AWS recommends you create a password policy that adheres to your organizations requirements to ensure IAM users you create are using strong passwords. You can specify criteria such as minimum password length, whether to allow users to change their own password, and password expiration.
7. Setup an Admin group
With most of the housekeeping completed, it’s now time to create an IAM group for those who will be AWS admins with full access to AWS functionality. These users will be responsible for granting restricted access to others. Create the group and attach the AdministratorAccess managed policy to it. Next, create the users that belong in this group and add them to it.
8. Choose an account alias
To improve the UX for users when accessing the AWS account via the UI Console it’s recommended to create an account alias which becomes a label for your account and provides a memorable login URL for the console. It’ll appear in Organizations and at the top of the console, which helps you to know which account you’re in.
9. Turn on CloudTrail
AWS CloudTrail tracks and stores in S3 and optionally CloudWatch Logs all API activity — including use of the AWS console, CLI, SDKs, etc. It provides a full audit trail and should be turned on in every account. AWS now turns it on by default, but you’ll only get 90 days of activity.
10. Turn on AWS Config
AWS Config keeps an inventory of resources you create and changes made to them. This helps you diagnose problems by finding out what happened when something stops working as expected. It has many other features, but simply turning it on is a good start.
11. Start building!
With this initial foundation in place, you should be ready to start building on AWS. With an ever-growing list of services, the sky’s the limit. Enjoy!
At AltoStack, our mission is to help organisations accelerate their time to value from the cloud by designing, building, and optimising their infrastructures in the public cloud.
We are a team of DevOps fanatics and a core part of our work is helping organisations leverage the cloud to increase the speed and success of cultural transformation.