Create an AWS account

If you don’t have an AWS account yet you can create one on the AWS home page. After creating the account you can sign in and you will land in the AWS Console. This is the main user interface to manage your AWS services, bills, support tickets and basically everying. In this tutorial we will also set up access through the command line.

Secure the root user

When a new AWS account gets created the first user in the account gets also created. This user is called root and like in Linux/UNIX systems this user is almighty and it is allowed to do everything. Therefore it is very-very recommended to secure the credentials for this user as much as possible.

  • Use a very strong password for this user
  • Set up MFA (multi factor authentication) for the root user
  • Store the credentials in a secure safe or password manager

Please follwo the IAM Best Practices guide for more details.

Security warning

If the root user’s credentials get stolen by malicious people then:

  • the attackers can lock you out of the account
  • the attackers can create new resources (they can even spin up expensive computing clusters for mining crypto currencies)
  • the attackers can destroy/modify any resource in the account

Create an admin user

To avoid being locked out of an AWS account we can create a new user with admin rights. This user will then be able to do all the things what the root user can do. Besides one: lock out the root user. The root user can always access the account.

If the credentials of this admin user get stolen the root user can still revoke the credentials to lock out the attackers and clean up all the damage what they did.

Creating a new user is done the easiest way through the AWS Console. Please follow the official Creating Your First IAM Admin User and Group guide from AWS.

Install the AWS CLI

At the time of writing this article AWS still recommends to use version 1 of the CLI. There are many ways to install the AWS CLI. The official documentation recommends to install it with pip3.

pip3 install awscli --upgrade --user

For more details please see the official guide: Installing the AWS CLI version 1

Configure the CLI

Before you can run your first command with the AWS CLI you have to configure it with your credentials. For this we can call the aws configure command and answer the questions.

aws configure

# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]: eu-west-1
# Default output format [None]: json

This will then store the credentials to ~/.aws/credentials file and the other settings to the ~/.aws/config file.

Test that the CLI works

aws sts get-caller-identity

Expected output if credentials are set up properly:

{
  "Account": "123456789012",
  "UserId": "AR#####:#####",
  "Arn": "arn:aws:sts::123456789012:assumed-role/role-name/role-session-name"
}

Create a read-only user (optional)

Once you get to the point that you have automated almost everything with CI/CD pipelines, you will barely have a need to make any changes in the AWS Console. A simple read-only user will then suffice most of your needs for the AWS Console UI.

Advantages of using a read-only user:

  • Even if credentials leak the attackers still cannot create or modify resources in the account
  • Accidental clicks in the UI cannot cause any trouble
  • You can click through wizards in the UI knowing that at the end no modification can be done

Resources