Ref: https://www.youtube.com/watch?v=FuoVr7O3uBg or https://learn.cantrill.io/courses/1820301/lectures/41301458 [ASSOCIATESHARED]

• Summary
• Contents:

AWS Account - Key Concepts

• 🔧 AWS account = container for identities and AWS resources
  • ‼️ AWS accounts ≠ users inside accounts!!!
  • Identity = a user, app or thing that can login to an AWS account
    • ❗ Exception: IAM groups (will be explained later)
  • AWS resource = piece of SW, HW or data that runs or is stored in the AWS cloud/infrastructure, and belongs to an AWS account
    • e.g. a virtual server (EC2 instance), an S3 bucket that contains images…
    • Official AWS definition → AWS resource = “an entity that you can work with”
    • An AWS resource is created inside an AWS service
      • e.g. S3 is a service, an S3 bucket is a resource created inside S3
  • 💡 Simple systems might run from only one AWS account, but complex systems usually run on many accounts
  • 💡 AWS accounts should be disposable. Don't put all your business in one.
• When creating/provisioning an AWS account, one must provide:
  1. Name
     • e.g. “PROD”
  2. UNIQUE email address
     • Used to create the account root user
     • ‼️ Can NOT be shared between accounts!!
       • 💡 Gmail trick: add + to an email address to make it unique outside of Gmail
         • e.g. [email protected] & [email protected] are unique from AWS perspective, but they redirect to the same Gmail account ([email protected])
  3. Credit card
     • Set as the account payment method
     • Can be shared between accounts
     • AWS is a pay-as-you-go/pay-as-you-consume platform
       • As services are used/consumed, credit card is charged according to their billing
       • Free tier → Certain AWS services include some free usage per month
         • great for keeping costs at a minimum e.g. while learning AWS
• **Account root user = default identity of an AWS account**
  • Has full access and control to the AWS account, can't be restricted
  • The first and only identity to exist originally in an account (until others are created)
    • 💡 The account root user and its AWS account can be loosely thought as the same
  • ‼️ Handle with extreme care!! If credentials of account root user are compromised, the whole account can be compromised!
    • 💡 Hence why it's a good idea to only use account root user to set the initial account configurations, perform emergency tasks, and to close the account. Use a different admin identity (e.g. an iamadmin user) to perform other admin tasks.
• IAM - Identity Access Management
  • AWS Service that can create extra account identities (which can be restricted)
  • IAM identities consist of users, groups & roles
  • IAM identities start without permissions by default (except the account root user)
    • They can be granted full or partial access to services and resources in the account
• Account boundary → Everything inside the account is by default isolated from the outside
  • External access denied by default (must explicitly grant access to externals if desired)
  • Accounts are good at keeping bad stuff contained
    • e.g. admin errors, bad actor exploits…
  • Putting all business in one account is risky. Having multiple accounts limits damage.
    • Hence why it's a good idea to use separate accounts for separate things
    • e.g. different accounts for DEV, TEST and PROD environments
    • e.g. different accounts for different teams, products or clients
• Summary Diagram

DEMO: Creating an AWS account (GENERAL account)

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301459

• Diagram of AWS Account that will be used in this course:
• General account will have MFA, budget alarm and IAMADMIN identity in place (all will be explained later)
• Sign up for an AWS account at: https://portal.aws.amazon.com/billing/signup#/start/email

  1. Input personal credentials/info as needed

  2. When selecting support plan, select “Basic support - Free”

  3. Activate IAM Access to Billing Information under “Account” (in drop-down menu)

     

     • 💡 Without this option enabled, even if we gave an IAM identity access to billing information, that identity would still not be able to see it
• ❗ Generally, try to always be in the Northern Virginia region (us-east-1) in this course, so you get full access to services and resources
• 💡 Adrian asks you to create a PROD account that is identical to the GENERAL account you just created. For most demos, you only need the GENERAL account. Later in the course you will create an AWS Organization with the GENERAL account (which becomes the management account). Then you will add the PROD account to it and also create a DEV account. You can skip creating the PROD account for now and create it when its needed, or create it now and add it later.