AWS Account Strategy

At AltoStack, we work with a lot of companies that are new to Amazon Web Services (AWS) and haven’t setup their first AWS account.

This post highlights things you should consider doing when initially creating an account:

1. Email address to register for the account

At first this may seem very basic but putting some thought into it can save you a lot of hassle down the line as your use of AWS increases. When you sign up for an AWS account, the email used becomes associated with the root user who acts as an admin and has full control over all AWS resources created under the account. It’s best to create an email alias/distribution list containing a list that people in the organisation that should have root access.

By using an alias/distribution list, you avoid tying down the AWS account to one single person thereby creating a SPOF (single point of failure) when that person is unreachable or leaves the organisation. It’s also worth noting that the root user should not be used to access the account bar the first login to setup IAM users for the account.

A good email address might be something like aws-prod@company.com or even something that includes the account alias (aws-account-alias@company.com).

2. Create the account

With an appropriate email address chosen, it’s now time to go through the process of signing up for an AWS account and enter any necessary billing information. If you plan to have multiple AWS accounts for example to isolate environments or business units, make use of AWS Organisations to ease the creation of subsequent account and take advantage of consolidated billing. As part of setting of Organisations you benefit from consolidated billing, better reserved instance utilisation, volume discounts, and policies that can be applied across multiple accounts.

3. Enable MFA for the root user

One of the most important steps we recommend after creating an AWS account even before you begin creating IAM users is to enable MFA for the root user.

With MFA setup, it means any further login(s) to the account using the root user requires users to authenticate using a virtual MFA device. We advice companies to take a screenshot of the QR code or put it on a mobile device, and store it in a safe place such as an office vault.

4. Decide on an AWS Support Plan

AWS accounts offer a Basic Support plan when you create them. Support plans are unique to each AWS account so if you’ve more than one you’ll need to opt to the chosen plan for each one. Consider choosing a paid support plan for production accounts.

5. Provide IAM user access to billing information

By default, billing information is only made available to the root user. Because this account should rarely be sued, it’s also advisable to activate Identity and Access Management (IAM) user access so that admins or billing groups can access what they need. IAM policies you later create will dictate who has access to it.

6. Set a password policy

AWS recommends you create a password policy that adheres to your organisations requirements to ensure IAM users you create are using strong passwords. You can specify criteria such as minimum password length, whether to allow users to change their own password, and password expiration.

7. Setup an Admin group

With most of the housekeeping completed, it’s now time to create an IAM group for those who will be AWS admins with full access to AWS functionality. These users will be responsible for granting restricted access to others. Create the group and attach the AdministratorAccess managed policy to it. Next, create the users that belong in this group and add them to it.

8. Choose an account alias

To improve the UX for users when accessing the AWS account via the UI Console it’s recommended to create an account alias which becomes a label for your account and provides a memorable login URL for the console. It’ll appear in Organisations and at the top of the console, which helps you to know which account you’re in.

9. Turn on CloudTrail

AWS CloudTrail tracks and stores in S3 and optionally CloudWatch Logs all API activity — including use of the AWS console, CLI, SDKs, etc. It provides a full audit trail and should be turned on in every account. AWS now turns it on by default, but you’ll only get 90 days of activity.

10. Turn on AWS Config

AWS Config keeps an inventory of resources you create and changes made to them. This helps you diagnose problems by finding out what happened when something stops working as expected. It has many other features, but simply turning it on is a good start.

11. Start building!

With this initial foundation in place, you should be ready to start building on AWS. With an ever-growing list of services, the sky’s the limit. Enjoy!

To learn more about how AltoStack can help on your journey to the Cloud by embracing Cloud-native thinking with the right foundations, click here