Setting up a new AWS account with out-of-the-box settings is an excellent start for your cloud journey. This guide identifies best practices when setting up a new AWS account or applying to an existing account.
The email used to create the AWS account has complete control of all AWS resources. Consider creating an account with a group/distribution email address with all the people who should have root access.
If you have already registered for an account with an individual email, you can update the root user name with a distribution list.
As a best practice, all root accounts should enable Multi-Factor Authentication (MFA). Configure using a virtual MFA device like Microsoft or Google Authenticator.
You can take a screenshot of the QR code and save it in a secure location or as an attachment in your password manager.
Customize your password policy that aligns with your organizational password policies. Ensure that
Avoid using the root account for day-to-day operations. Create IAM users with admin access for all administrative privileges. Assign users to groups rather than assigning permissions directly to the users.
Enable Multi-Factor authentication uses for all console users.
AWS billing information is available only to the root user. Activate billing information access to IAM users so that admins can access the billing dashboard.
AWS bills add up quickly if you do not keep a tab on the services you provisioned. AWS billing alerts leverages CloudWatch to provide proactive alerting and alarms on your total AWS charges. You can set the alarm if your bill has reached or exceeded a specific amount.
Subscribe to get business or enterprise support plans for any accounts that run production workloads. You can run a complete set of checks with a trusted advisor, 24 X7 support over phone, email, and chat access to AWS cloud engineers.
The Trusted advisor monitors your AWS environment and provides recommendations to align with the AWS well-architected framework. The trusted advisor offers guidance in the following five categories.
It is recommended to have at least business support to leverage the full features of the trusted advisor.
The first step to securing your environment is to create an asset inventory. AWS Config enables you to assess, audit, and evaluate configurations of the AWS services deployed in the account. AWS Config continuously monitors and records your AWS configurations. You can get a count of all the resources across the account.
CloudTrail creates an audit trail of all the actions performed on your account. The primary use of CloudTrail is Governance, Compliance, Security controls, and CloudTrail logs all success and failure events of all requests from the AWS Console, CLI, and SDK.