01.07 Set up or get access to the stakeholders' AWS account(s)

Signup for AWS

If no AWS account has been established by the stakeholder, you’ll need to sign up for one. To do this, follow these instructions.

Ask the AWS root account owner to provide you access to the AWS account or accounts. To do this, you’ll likely need to provide them instructions for setting up an IAM user and group. See below.

Ensure minimum of AWS Business Support Plan

AWS provides a fantastic support platform and service. By signing up with AWS business support, you can ask support any question on AWS day or night and receive a response.

To sign up for business support go to https://aws.amazon.com/premiumsupport/signup/ As you can see here, I created an AWS support ticket and have begun a chat with an AWS Support representative to get a problem resolved. Even if you’re an individual developer that has your AWS account, you’ll find tremendous value in being able to contact AWS at any time of the day.

Set up Programmatic Billing

Next, you’ll want to turn on Programmatic Billing. This stores your AWS billing in JSON files in another S3 bucket, so that other services (including AWS itself) can analyze your spending and plot trends over time. We’ll be visiting those kind of tools later on, but we want to enable programmatic billing now because (just like CloudTrail) it only generates data from the present — there’s no way to go back and generate historical data. By turning it on now, when we do start parsing that data for trends, you’ll have a good amount of data to go back through. Unlike CloudTrail, you’ll need to create and permission the bucket for this yourself.

  1. Go to the S3 console and create a new bucket. (Since each bucket names must be globally unique, you might prepend  your company domain along with -billing. We’ve named ours stelligent-blueprints-billing to keep with the theme.)
  2. Click the Create Bucket button and enter your unique bucket name.
  3. We’ll need to get a bucket permissions policy. Luckily, AWS will generate that for us at this page (we’ll need to flip back to the S3 page in a second, so open this in a new tab): https://portal.aws.amazon.com/gp/aws/developer/account?ie=UTF8&action=billing-preferences
  4. Select the Receive Billing Alerts checkbox
  5. Select the Receive Billing Reports checkbox
  6. Enter the bucket name you created in the earlier step (mine is stelligent-blueprints-billing). Click the Verify button. You’ll receive an error. Click on the sample policy link and copy the policy to the S3 Properties|Permissions for your S3 bucket policy and click Save.
  7. Go back to your Preferences page and select the checkboxes next to all the reports and click the Save preferences button.

Set up AWS CloudTrail

First thing is to turn on CloudTrail. CloudTrail is basically logging for your AWS account. It will generate JSON files and store them in an S3 bucket every time an action is performed on the account. While we won’t be doing a lot with CloudTrail right away, we’re turning it on now because it’s not retroactive — you can only see logs after you’ve turned it on. So let’s turn it on first.

  1. Find CloudTrail panel from the main AWS Console
  2. Click the Get Started button and just enter the S3 Bucket name. (Note: the S3 bucket name has to be globally unique). One approach is to take the unique identifier you came up with before, and just append -cloudtrail to it. We’ve named our bucket stelligent-pmd-blueprints-cloudtrail)
  3. Click OK and you’re done. You’ll also want to repeat these steps for all your AWS regions regardless of whether you’re using them, in case someone accesses your account in an unauthorized manner.

Configure IAM – users, groups and keys

A lot of new AWS users will start doing everything as the root account, which besides being a security risk, also poses some issues when you try to have multiple developers building solutions in your cloud. That’s why we strongly recommend setting up IAM users and roles from the beginning. We’re going to use the AWS Identity and Access Management (IAM) console. IAM allows you to create users, groups, and roles so that you can manage users and access to your AWS account. For the first section, we’ll only be creating one user (for you) and one group (Administrators) but as your usage of the cloud increases and you need to add more users, you’ll be able to control that from here.

  1. To create a new Administrators group, head to the IAM console.
  2. Click Create Group, and follow the prompts.
  3. We’ll name the group Administrators and give it Administrator access.

Now that we have an Administrators group, go to the Users panel and create a new user for yourself to log in as.

  • Sign in to the AWS account using the AWS ‘root’ account
  • Go to the IAM console
  • Click on Users
  • Click on the Create New Users button
  • Enter a unique username. Select the Keep the Generate an access key for each User checkbox. Click the Create button.
  • Click on the Show User Security Credentials link
    • Copy the credentials to a new entry in an encrypted platform (e.g. PassPack or Google Drive) that can be shared with an individual user
  • Select the checkbox next to the user you just created.
  • Select the Security Credentials tab
  • Click on the Manage Password button.
  • Choose the Assign an auto-generated password radio button, click the Require user to create a new password at next sign-in checkbox and click the Apply button.
    • Copy the credentials to a new entry in an encrypted platform (e.g. PassPack or Google Drive) that can be shared with an individual user
  • With the username remaining selected, click on the Groups button and click on the Add Users to Groups button. Select the appropriate group: admins group (or Developers group; if a Group hasn’t been created, create a new Group with the appropriate policy and add the new user to this new Group).

After each user logs in, you’ll want to require them to add a multi-factor authentication (MFA) device to their account. To add an MFA device

  1. User will need to login and go to the IAM console
  2. Find their username
  3. Under the Security Credentials tab, select Manage MFA device.
  4. Then follow the steps to add your virtual MFA device to the account.

Having MFAs set up for all accounts helps ensure that AWS accounts won’t be compromised, keeping your data safe. Also, it helps ensure that your account won’t be used for malicious purposes (DDOS attacks, spam emails, etc) which would at best increase your AWS bill and worst case have your entire account disabled. We strongly recommend enabling MFAs for all user accounts.

Create IAM account alias

  • Go back to the IAM Dashboard and click on the Create Account Alias button. Give it a name that you will remember and bookmark the URL. Going forward, this will be referred to as the account alias.
  • In your browser, enter the URL you created in the previous Account Alias step. Enter the username and password you created in the previous step. You’re logged in as non-root IAM user. Use this user from now on.

Now that users are able to log in, we’ll need to give them a URL to do so. If you go to the main IAM console, you’ll find a IAM User Sign-In URL section. Remember the unique identifier you came up with your CloudTrail and Programmatic Billing buckets? That’s probably a good option for your sign in URL. Changing it is optional, though highly recommended.

Set up cost monitoring tools

Here’s an example of setting up the Cloudabilty cost monitoring tool. There are several cost-monitoring tools from which to choose.

https://support.cloudability.com/hc/en-us/articles/200312113-Enabling-Programmatic-Access-and-Cost-Allocation-at-AWS

 

Summary

  • Signup for AWS
  • Ensure minimum of AWS Business Support Plan
  • Set up Programmatic Billing
  • Set up AWS CloudTrail
  • Configure IAM – users, groups and keys – best practices around security
  • Create IAM account alias
  • Set up cost monitoring tools

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s