Ref: https://learn.cantrill.io/courses/1820301/lectures/41301458 and https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html
YouTube: https://www.youtube.com/watch?v=FuoVr7O3uBg
DEMO: https://learn.cantrill.io/courses/1820301/lectures/63958656
AWS Account - Key Concepts
- 🔧 AWS account = container for identities and AWS resources
- ‼️ AWS account ≠human user inside an account!!!
- Identity = a user, app, or thing that can log in to an AWS account
- âť—Â Exception: IAM groups (explained later)
- AWS resource = piece of SW, HW, or data that runs in or is stored in the AWS cloud/infrastructure, and belongs to an AWS account
- e.g. a virtual server (EC2 instance), an S3 bucket that contains images…
- Official AWS definition → AWS resource = “an entity that you can work with”
- An AWS resource is created inside an AWS service
- e.g. S3 is a service, an S3 bucket is a resource created inside S3
- 💡 Simple systems might run from only one AWS account, but complex systems usually run on many accounts (some services like AWS Organizations help manage many)
- ‼️ AWS accounts should be disposable! Don't put all your business in a single account!
- When creating/provisioning an AWS account, you must provide:
- Name
- UNIQUE email address
- Used to create the root user
- ‼️ Can NOT be shared between accounts!!
- 💡 Gmail trick: add
+ to an email address to make it unique outside of Gmail
- Credit card
- Set as the account payment method
- Can be shared between accounts
- AWS is a pay-as-you-go/pay-as-you-consume platform
- As services are used/consumed, credit card is charged according to their billing
- Free tier → Certain AWS services include some free usage per month
- great for keeping costs at a minimum (e.g. while learning AWS)
- **Root user of the account = Account root user = default identity of an AWS account**
- Has full access and control to the AWS account, can't be restricted
- The first and only identity to exist originally in an account (until others are created)
- 💡 The account root user and its AWS account can be loosely thought as the same
- ‼️ Handle with extreme care!! If credentials of account root user are compromised, the whole account can be compromised!
- 💡 Hence why it's a good idea to only use account root user to set the initial account configurations, perform emergency tasks, and to close the account. Use a different admin identity (e.g. an
iamadmin user) to perform other everyday admin tasks.
- IAM - Identity Access Management
- AWS service that can create extra account identities (which can be restricted)
- IAM identities consist of users, groups & roles
- IAM identities start without permissions by default (except the account root user)
- They can be granted full or partial access to services and resources in the account
- Account boundary → Everything inside the account is by default isolated from the outside
- External access denied by default (must explicitly grant access to externals if desired)
- Accounts are good at keeping bad stuff contained
- e.g. admin errors, bad actor exploits…
- âť—Â Putting all business in one account is risky. Having multiple accounts limits damage.
- Hence why it's a good idea to use separate accounts for separate things
- e.g. different accounts for DEV, TEST, and PROD environments
- e.g. different accounts for different teams, products, or clients
Free and Paid AWS Accounts
Ref: https://learn.cantrill.io/courses/1820301/lectures/63958656
- Historically, there were no free or paid AWS accounts. There were free tiers in AWS services, some of which had free usage for 12 months.
- Since 2025, AWS offers Free accounts to brand new AWS customers: https://aws.amazon.com/free/
- đź‘ŤÂ Won't bill you during 6 months
- Up to $200 of usage in AWS credits
- đź‘ŽÂ However, once 6 months or credit usage is up, your workload will stop until you upgrade to a paid plan!
- đź‘ŽÂ Not all AWS services and features are available in Free accounts
