John Jerald De Chavez

Setup AWS Accounts

This guide would help you on how to setup your AWS account

Create AWS Account

The first thing you need to do on your AWS is to create an AWS account.

Here are the steps:

• Navigate to aws.amazon.com and click create an AWS account.
• For your root, use your email address. You could use aliases or set up arbitrary forwarding for emails to go to a specific inbox.
• Next, choose an account name. This can be changed later but you can name it "management account" for now.
• Verify your email address by entering the verification code sent to your email into the provided field.
• After email verification, set a root user password following the password requirements provided.
• Continue by selecting the type of account you are creating (business or personal) then input your name and other personal information as required.
• Next, provide your credit card details. No worries about any charges, everything you will do is within the free tier.
• Verify your phone number.
• The last step is to select a support plan. For starters, the Basic free support would suffice. Then, complete the signup.
• After successfully creating your AWS account, sign in to the AWS Management Console.

The next important step is to set up spend alerts within the console. You want to be alerted when you spend on AWS. To set this up:

• Navigate to billing and cost management. You will see that the budget status requires setup.
• Click on budgets on the left-hand side then select create a budget.
• Using the zero spending budget template, set up the budget so that you receive an email if there's any spending outside the free tier.
• Enter your email address and create the budget.

Now you will now get an email alert every time you start to accrue any spending!

Manage AWS Accounts with AWS Organization

AWS Organizations is a container that allows you to govern and manage multiple AWS accounts. You may be wondering why you would need multiple AWS accounts. It's generally a good idea to set up all of your production resources in an isolated AWS account. This way, you can limit access to production resources and prevent people from accidentally deploying to production when they meant to deploy to their development account.

For this guide, we'll have three AWS accounts inside of AWS Organization:

• Production Account: This account will be used to isolate production resources.
• Development Account: This will be a general-purpose development account. If you have multiple developers on your team, you can share this development account. If you're an individual, this will be your primary account for day-to-day development.
• Management Account: This is the account we set up earlier. The management account is only used for high-level setup, such as setting up the AWS Organization and configuring access through IAM Identity Center. No application-related resources should be deployed in the management account.

Create AWS Organization

To create the AWS Organization, search for "Organizations" in the AWS Management Console and click "Create an Organization." This will place your management account in an Organizational Unit (OU) within the root of the organization.

Organizational Units are a way to structure your AWS accounts like a file tree and set up granular permissions for individual groups of accounts. For our simple setup, we'll keep all our accounts in the root OU.

Adding Accounts to the Organization

Next, we need to create our development and production accounts within the organization.

• Click "Add an AWS Account" and select "Create an AWS Account."
• Name the account "development" and provide an email address (e.g., aws+dev@example.com).
• Leave the IAM role name as the default and create the account.
• Repeat the process to create a "production" account with a different email address (e.g., aws+prod@example.com).

You should now see the management account, development account, and production account within your AWS Organization.

IAM Identify Center

With multiple AWS accounts, managing access can be tricky. IAM Identity Center makes it easier to log in to the console and access your accounts from your development machine. It's also a more secure approach than using long-lived IAM user access keys.

In the AWS Management Console, search for IAM Identity Center and click Enable set it up.

Create IAM User

Once enabled, create a new user by clicking Add user under the Users section. Use your email address as the username and have AWS send you a one-time password setup email.

After accepting the invitation and setting a new password, you'll be prompted to set up multi-factor authentication (MFA). Use an authenticator app or a security key.

As you can see the dashboard of your user doesn't have any functionality. That's why we need to setup Permission Set

Create IAM Permission Set

Next, create a permission set, which defines the permissions a user has in an AWS account. For this example, create an Administrator Access permission set with a 12-hour session duration.

Assign User Permission Set

Assign your user the Administrator Access permission set for each of your three AWS accounts (management, development, and production).

• Go to "AWS accounts" under Multi-account permissions and select your management account.
• Under "Assign users or groups," select your user and the "Administrator Access" permission set.
• Repeat for the development and production accounts.

After assigning access, refresh the page, and you'll see all three accounts listed with the "Administrator Access" permission set.

Customize the Access Portal URL

To make the IAM Identity Center URL more friendly, go to the dashboard and edit the "Access Portal URL" under "Settings Summary." Choose a unique subdomain (e.g., jerald.dev).

Now, you can access the IAM Identity Center portal at jerald.dev.awsapps.com.start.

AWS CLI

First we need to intall AWS CLI on your local machine based on your operating system.

After installing the CLI, you'll need to configure it to connect to your AWS accounts through Identity Center. Run the following command to check your current credentials:

aws sts get-caller-identity

This will likely return an error saying "unable to locate credentials" since you haven't set up connectivity yet.

To configure the CLI, you'll need to create an AWS config file. This file will contain the necessary information to connect to your accounts through Identity Center.

Create AWS Config File

• Open your text editor and create a new file called config in the .aws directory within your user's home directory (e.g., ~/.aws/config on macOS/Linux or %UserProfile%\.aws\config on Windows).
• Copy the provided template from the AWS documentation and paste it into the config file.

  [profile dev]
  sso_session = my-sso
  sso_account_id = 111122223333
  sso_role_name = SampleRole
  
  [profile prod]
  sso_session = my-sso
  sso_account_id = 111122223333
  sso_role_name = SampleRole2
  
  [sso-session my-sso]
  sso_region = us-east-1
  sso_start_url = https://my-sso-portal.awsapps.com/start
      

• Customize the file with your specific details:

• Change the sso_start_url to your custom subdomain URL (e.g., jerald.dev.awsapps.com/start).
• Set the sso_region to the AWS region closest to you (e.g., us-east-1).
• Replace the account_id and role_name values for the dev, prod, and management profiles with your actual account IDs and role names.

Login with AWS SSO

After saving the config file, you can log in to your accounts using the AWS SSO login command:

aws sso login --profile <profile_name>

Replace <profile_name> with dev, prod, or management depending on which account you want to access.

This command will open a browser window where you can authenticate with your Identity Center credentials. Once authenticated, you'll have short-term credentials to interact with the specified AWS account using the CLI.

Verify AWS SSO

To verify that you have access to the account, run the get-caller-identity command with the appropriate profile:

aws sts get-caller-identity --profile <profile_name>

This should return the account ID and other details, confirming that you have successfully configured the CLI to access your AWS accounts through Identity Center.

With the AWS CLI configured, you can now execute various AWS commands and interact with your accounts directly from your local machine. This setup allows you to deploy applications, manage resources, and perform other AWS operations seamlessly.