Ref: https://learn.cantrill.io/courses/1820301/lectures/41301458

YouTube: https://www.youtube.com/watch?v=FuoVr7O3uBg

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301459

• Summary
• Contents:

AWS Account - Key Concepts

• 🔧 AWS account = container for identities and AWS resources
  • ‼️ AWS account ≠ human user inside an account!!!
  • Identity = a user, app or thing that can log in to an AWS account
    • ❗ Exception: IAM groups (explained later)
  • AWS resource = piece of SW, HW or data that runs in or is stored in the AWS cloud/infrastructure, and belongs to an AWS account
    • e.g. a virtual server (EC2 instance), an S3 bucket that contains images…
    • Official AWS definition → AWS resource = “an entity that you can work with”
    • An AWS resource is created inside an AWS service
      • e.g. S3 is a service, an S3 bucket is a resource created inside S3
  • 💡 Simple systems might run from only one AWS account, but complex systems usually run on many accounts (some services like AWS Organizations help manage many)
  • ‼️ AWS accounts should be disposable! Don't put all your business in a single account!
• When creating/provisioning an AWS account, you must provide:
  1. Name
     • e.g. “mywebapp-PROD”
  2. UNIQUE email address
     • Used to create the root user
     • ‼️ Can NOT be shared between accounts!!
       • 💡 Gmail trick: add + to an email address to make it unique outside of Gmail
         • e.g. [email protected] & [email protected] are unique from AWS perspective, but they redirect to the same Gmail account ([email protected])
  3. Credit card
     • Set as the account payment method
     • Can be shared between accounts
     • AWS is a pay-as-you-go/pay-as-you-consume platform
       • As services are used/consumed, credit card is charged according to their billing
       • Free tier → Certain AWS services include some free usage per month
         • great for keeping costs at a minimum (e.g. while learning AWS)
• **Root user of the account = Account root user = default identity of an AWS account**
  • Has full access and control to the AWS account, can't be restricted
  • The first and only identity to exist originally in an account (until others are created)
    • 💡 The account root user and its AWS account can be loosely thought as the same
  • ‼️ Handle with extreme care!! If credentials of account root user are compromised, the whole account can be compromised!
    • 💡 Hence why it's a good idea to only use account root user to set the initial account configurations, perform emergency tasks, and to close the account. Use a different admin identity (e.g. an iamadmin user) to perform other everyday admin tasks.
• IAM - Identity Access Management
  • AWS service that can create extra account identities (which can be restricted)
  • IAM identities consist of users, groups & roles
  • IAM identities start without permissions by default (except the account root user)
    • They can be granted full or partial access to services and resources in the account
• Account boundary → Everything inside the account is by default isolated from the outside
  • External access denied by default (must explicitly grant access to externals if desired)
  • Accounts are good at keeping bad stuff contained
    • e.g. admin errors, bad actor exploits…
  • ❗ Putting all business in one account is risky. Having multiple accounts limits damage.
    • Hence why it's a good idea to use separate accounts for separate things
    • e.g. different accounts for DEV, TEST and PROD environments
    • e.g. different accounts for different teams, products or clients
• Summary Diagram

DEMO: Creating an AWS account (GENERAL account)

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301459

• Diagram of AWS Account that will be used in this course:
• General Account will have MFA, budget alarm and iamadmin identity in place (all explained later)
• Sign up for an AWS account at: https://portal.aws.amazon.com/billing/signup#/start/email

  1. Input personal credentials/info as needed

  2. When selecting support plan, select “Basic support - Free”

  3. Activate IAM Access to Billing Information under “Account” (in drop-down menu)

     

     • 💡 Without this option enabled, even if we gave an IAM identity access to billing information, that identity would still not be able to see it
• ❗ Generally, try to always be in the Northern Virginia region (us-east-1) in this course, so you get full access to services and resources
  • Not all AWS regions have the latest services and features
  • Alternatively, you can be in the region that is closest geographically to you (will give you best performance)