AWS Account Setup and IAM

Before you can start using AWS services, you need an AWS account. More importantly, you need to set it up securely from the start. In this lesson, we'll create your AWS account and configure Identity and Access Management (IAM) properly.

What You'll Learn

By the end of this lesson, you'll have a secure AWS account with proper IAM configuration, multi-factor authentication enabled, and best practices in place to protect your cloud resources.

Creating Your AWS Account

Let's start by creating your AWS account. You'll need:

• An email address (use one you have long-term access to)
• A credit card (required for verification, but you won't be charged for Free Tier usage)
• A phone number for verification

Step-by-Step Account Creation

1. Go to aws.amazon.com
2. Click "Create an AWS Account"
3. Enter your email address and choose an account name
4. Create a strong root user password
5. Choose "Personal" or "Business" account type
6. Enter your contact information
7. Enter payment information (credit/debit card)
8. Verify your identity via phone
9. Select a support plan (Free tier is fine for learning)

Important: The email you use becomes your root user identity. The root user has complete, unrestricted access to your AWS account. Treat these credentials with extreme care.

Understanding the Root User

When you create an AWS account, you create a root user. This user has:

• Complete access to all AWS services and resources
• The ability to change account settings
• Access to billing information
• Power to close the account

Root User Best Practices

The root user is incredibly powerful - and that's exactly why you should almost never use it.

Do	Don't
Enable MFA on root user immediately	Use root user for daily tasks
Create IAM users for all access	Share root credentials
Store root credentials securely	Leave root without MFA
Only use root for account-level tasks	Create access keys for root

Account-level tasks that require root user:

• Change account settings (name, email, password)
• Close the AWS account
• Change or cancel support plans
• Enable MFA Delete on S3 buckets
• Restore IAM user permissions

Enabling Multi-Factor Authentication (MFA)

MFA adds a critical second layer of security. Even if someone obtains your password, they can't access your account without the second factor.

Setting Up MFA for Root User

1. Sign in to the AWS Console as root user
2. Click your account name (top right) → "Security credentials"
3. Expand "Multi-factor authentication (MFA)"
4. Click "Activate MFA"
5. Choose your MFA device type:
   • Virtual MFA device - App like Google Authenticator or Authy (recommended)
   • Hardware MFA device - Physical key fob
   • U2F security key - YubiKey or similar
6. Follow the setup instructions
7. Enter two consecutive MFA codes to verify

Recommended apps:

• Google Authenticator (iOS/Android)
• Authy (iOS/Android/Desktop)
• 1Password (built-in authenticator)

Introduction to IAM

Identity and Access Management (IAM) is how you control who can access what in your AWS account. It's a free service that's fundamental to AWS security.

Core IAM Concepts

Users: Individual identities with credentials. Each person should have their own user.

Groups: Collections of users. Apply permissions to groups, not individual users.

Roles: Identities that can be assumed by users, applications, or AWS services. No permanent credentials.

Policies: JSON documents that define permissions. Attached to users, groups, or roles.

The Principle of Least Privilege

One of the most important security concepts:

Grant only the permissions required to perform a task - nothing more.

If a developer only needs to read from S3, don't give them permission to delete buckets. If an application only needs to write to DynamoDB, don't give it EC2 access.

Creating Your First IAM User

Let's create an IAM user for your daily AWS work, so you don't use the root user.

Step-by-Step User Creation

1. Sign in as root user
2. Go to IAM (search "IAM" in the console)
3. Click "Users" → "Add users"
4. Enter a username (e.g., "admin" or your name)
5. Select both access types:
   • Programmatic access - For AWS CLI and SDKs
   • AWS Management Console access - For web console
6. Set a console password
7. Click "Next: Permissions"

Attaching Permissions

For your admin user, you have two options:

Option 1: Add user to a group (Recommended)

1. Click "Create group"
2. Name it "Administrators"
3. Attach the AdministratorAccess policy
4. Add your user to this group

Option 2: Attach policies directly

1. Click "Attach existing policies directly"
2. Search for and select AdministratorAccess

Using groups is the best practice because it's easier to manage permissions as your team grows.

Enable MFA for IAM User

Just like the root user, enable MFA for your IAM admin user:

1. Go to IAM → Users → [Your User]
2. Click the "Security credentials" tab
3. Click "Manage" next to "Assigned MFA device"
4. Follow the MFA setup process

Understanding IAM Policies

IAM policies are JSON documents that define permissions. Here's the basic structure:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Policy Elements

• Version: Always use "2012-10-17" (the current policy language version)
• Statement: One or more permission statements
• Effect: "Allow" or "Deny"
• Action: What actions are allowed (e.g., "s3:GetObject", "ec2:*")
• Resource: Which resources the policy applies to (ARN format)

Common AWS Managed Policies

AWS provides pre-built policies for common use cases:

Policy	Purpose
AdministratorAccess	Full access to all services
PowerUserAccess	Full access except IAM and Organizations
ReadOnlyAccess	View-only access to all services
AmazonS3FullAccess	Full S3 access
AmazonEC2FullAccess	Full EC2 access

For learning, AdministratorAccess is fine. In production, create custom policies with least privilege.

IAM Roles

Roles are identities that can be assumed temporarily. They're crucial for:

• EC2 instances - Allow instances to access other AWS services
• Lambda functions - Grant functions permission to use AWS resources
• Cross-account access - Let users from other accounts access your resources
• Federation - Allow external identities to access AWS

Example: EC2 Instance Role

When an EC2 instance needs to read from S3:

1. Create an IAM role with S3 read permissions
2. Attach the role to the EC2 instance
3. The instance can now access S3 without storing credentials

This is much more secure than storing access keys on the instance.

Account Security Checklist

Before moving on, ensure you've completed these security essentials:

• Root user has MFA enabled
• Created an IAM admin user
• Admin user has MFA enabled
• Strong, unique passwords for all users
• Not using root user for daily work
• No access keys created for root user

Key Takeaways

• Root user has unrestricted access - use it only when absolutely necessary
• MFA is essential on both root and IAM users
• IAM users should be created for daily work, not root
• Groups make permission management easier
• Policies define what actions are allowed on what resources
• Roles provide temporary credentials for services and cross-account access
• Least privilege - only grant permissions that are needed

What's Next

With your secure AWS account ready, let's explore the AWS Management Console. In the next lesson, we'll navigate the console, understand the interface, and learn how to find and use AWS services.