Secure AWS account: essential first-time tips

At account creation

A secure password

At account creation make sure you pick a strong password. Understandably "strong password" is a vague explanation, but you type in something similar to a service like this:
https://bitwarden.com/password-strength/

Please note that even though Bitwarden is a trusted site, I would by no means enter any real password of mine. You can type in something similar in a similar format and length to give you a rough estimate how secure of a password you picked.

Here's an example I tried. It's deceptively easy to remember:

Once you've gone through account creation, you can log into your root account.

After logging in with root account

Setting up MFA

Root accounts for AWS are something that generally isn't meant to be used for day-to-day operations.
This account has all the power associated with your account. It can do literally anything.

To avoid abuse of this, the 2nd thing you should do is enable 2FA on your root account.

To do this, navigate to your security credentials:

security credentials menu screenshot

At the Multi-factor authentication (MFA) section click on "Add MFA Device"
Add a name above to associate it with the device and click on Authenticator APP
Follow the on-screen instructions to add your device:
It's asking for 2x MFA code, to get the 2nd code, just wait 30 seconds in your MFA application.
Once done, you can log out of your account and test your MFA login

Setting up a budget alert

To alert you if your spending goes beyond a certain threshold, you can set up budget alerts.

To do this, navigate to Billing and Cost Management => Budgets => Create budget

You can then either set a monthly amount you're comfortable with along with an alert email.

This will alert you any time you're close to reaching your budget, however it'll do nothing else!

❗

These alerts will NOT send you email immediately once threshold reached, but rather at a random time through the day.

Update Billing Preferences

Navigate to Billing and Cost Management => Billing Preferences

Select both these options:

The first option will provide you alerts if you exceed Free Tier limits
The second option enables Cloudwatch alerts to be created around billing

💡

Cloudwatch billing alerts are at most 6h late. They're not immediate.

Create a cloudwatch billing alarm

Navigate to CloudWatch => Alarms => Create alarm

For metric, select All => Billing => Total Estimated Charge

Specify metric to maximum => 6h . As noted above, anything quicker than 6h will cause the below warning, as billing updates aren't more frequent than 6h.

Choose a condition to trigger when it's greater than your set amount. As an example:

Click next, and on the next page create a target notification for the alarm.

Create a new topic and set your email address there as below:

Create this topic.

On the next page, give it a name and then review your alarm.

Once you did that, you'll receive an email that you need to confirm.

After all this, your alarm is active!

Do NOTs

do not use the root account for day-to-day operations
do not create an access key for the root account
do not share your credentials with anyone

Creating a new day-to-day user

To avoid using your AWS root account, create a new user for logging in and performing daily activities.

Go to IAM => Users => Create user
Create a new user with AWS Management Console access, and select
I want to create an IAM user

Set them a password, then on the permissions page assign AdministratorAccess to them.

Click on create user and then log out and log back in with your newly created user.

On the newly created user, enable MFA just like you did with the root account.

Once you've done the above, your IAM => Dashboard should look like this:

And that's done!

Of course, there's much more you can do to enhance security, but the steps outlined above provide a solid starting point for those just beginning their journey.

Kris' Dev blog