Create an AWS account
If you don’t have an AWS account yet you can create one on the AWS home page. After creating the account you can sign in and you will land in the AWS Console. This is the main user interface to manage your AWS services, bills, support tickets and basically everying. In this tutorial we will also set up access through the command line.
Secure the root user
When a new AWS account gets created the first user in the account gets also created.
This user is called root
and like in Linux/UNIX systems this user is almighty and it is allowed to do everything.
Therefore it is very-very recommended to secure the credentials for this user as much as possible.
- Use a very strong password for this user
- Set up MFA (multi factor authentication) for the root user
- Store the credentials in a secure safe or password manager
Please follwo the IAM Best Practices guide for more details.
Security warning
If the root user’s credentials get stolen by malicious people then:
- the attackers can lock you out of the account
- the attackers can create new resources (they can even spin up expensive computing clusters for mining crypto currencies)
- the attackers can destroy/modify any resource in the account
Create an admin user
To avoid being locked out of an AWS account we can create a new user with admin rights. This user will then be able to do all the things what the root user can do. Besides one: lock out the root user. The root user can always access the account.
If the credentials of this admin user get stolen the root user can still revoke the credentials to lock out the attackers and clean up all the damage what they did.
Creating a new user is done the easiest way through the AWS Console. Please follow the official Creating Your First IAM Admin User and Group guide from AWS.
Install the AWS CLI
At the time of writing this article AWS still recommends to use version 1 of the CLI.
There are many ways to install the AWS CLI. The official documentation recommends to install it with pip3
.
pip3 install awscli --upgrade --user
For more details please see the official guide: Installing the AWS CLI version 1
Configure the CLI
Before you can run your first command with the AWS CLI you have to configure it with your credentials.
For this we can call the aws configure
command and answer the questions.
aws configure
# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]: eu-west-1
# Default output format [None]: json
This will then store the credentials to ~/.aws/credentials
file and the other settings to the ~/.aws/config
file.
Test that the CLI works
aws sts get-caller-identity
Expected output if credentials are set up properly:
{
"Account": "123456789012",
"UserId": "AR#####:#####",
"Arn": "arn:aws:sts::123456789012:assumed-role/role-name/role-session-name"
}
Create a read-only user (optional)
Once you get to the point that you have automated almost everything with CI/CD pipelines, you will barely have a need to make any changes in the AWS Console. A simple read-only user will then suffice most of your needs for the AWS Console UI.
Advantages of using a read-only user:
- Even if credentials leak the attackers still cannot create or modify resources in the account
- Accidental clicks in the UI cannot cause any trouble
- You can click through wizards in the UI knowing that at the end no modification can be done
Resources
- Creating an IAM User in Your AWS Account
- AWS Tasks That Require AWS Account Root User Credentials
- Creating Your First IAM Admin User and Group
- IAM Best Practices
- AWS re:Invent 2015: IAM Best Practices to Live By (SEC302)
- Identities (Users, Groups, and Roles)
- How to test credentials for AWS Command Line Tools