Check out a free preview of the full Enterprise DevOps & Cloud Infrastructure course:
The "AWS Setup" Lesson is part of the full, Enterprise DevOps & Cloud Infrastructure course featured in this preview video. Here's what you'd learn in this lesson:

Erik creates an IAM user and administrator group in Amazon Web Services (AWS) to ensure secure and organized access to AWS resources. Using an account other than the root account avoids security risks. Account aliases are also explained in this lesson.

Get Unlimited Access Now

Transcript from the "AWS Setup" Lesson

[00:00:00]
>> Now, the fun one, [LAUGH] we're gonna go to Amazon because we need to create Amazon keys, right? This is the last thing that we need to do to be able to make sure that our Terraform can run successfully. Okay, so I've got my credentials, I'm gonna go ahead and hit Sign in.

[00:00:16] One of the reasons why I signed in was cuz this is highly recommended. [LAUGH] There's a lot of people on the Internet who would love to get access to your Amazon account to make as many botnets as they possibly could, as well as other things. I highly recommend, if on any of these things, putting multifactor on Amazon account.

[00:00:38] It'll just make sure that you're as safe as possible, you don't have to be worried about people accidentally getting your account. Amazon is definitely one of the most attacked platforms. So it's just something to consider. Okay, cool, so now I have logged into my Amazon account. Is everyone here?

[00:00:54] Yeah, all good? Cool, okay, so what we're gonna do is we're gonna create a access key. But we're not gonna just create an access key, we're also gonna make sure that we have specific access. So here's a question, who here logged in with a root account? You logged in with your root account?

[00:01:17] Cool, who else here logged in with root, did all of you guys? Okay, let me do that, let me log in with my root account because that's what we wanna do. So I'm gonna go back here. If you look at the bottom, you'll notice that there's also an option that says Sign in using root user email.

[00:01:33] This option is for pretty much the main stakeholder or the main owner of the account, right? And so for me, this would be my email, Right, and then my password, it's that one, and then of course, my MFA. Okay, so the reason why we're logging into the root account is because, my cost went down, nice.

[00:01:58] The reason why we're logging into the root account is cuz we wanna make sure, just like we did with Terraform or any other service, that we set up good boundaries, essentially. Do not create resources with your root account. Do not do that, it's not a good idea. Nobody else can access that account but you, and you also don't want anyone else to access that account.

[00:02:23] The root account should basically be locked off, third partied away, or not third partied, two-factor off as much as possible away. And then what we do instead is we're gonna create user groups and users that are specific for logging in. So the first thing we're gonna do is we're gonna go to the top right-hand corner.

[00:02:47] I'm sorry, no, we're gonna go to IAM. Type IAM in the top search, type in IAM, and then navigate to the IAM page, okay? After we do that, we're actually gonna create a user group. Now, notice I have a user group here, but I'm gonna go ahead and create a new one.

[00:03:06] We'll call this one Administrators2. But realistically, this is your administrator's account. Like I said, always create groups, right? Here's a good example. At Hippo, when we decided to move from our old AWS accounts to the new ones, every user was manually put in. [LAUGH] Every single one of our users was manually put in.

[00:03:34] That meant that every user had their own ways of accessing things, their own policies that were added throughout the years, it was a mess. And so when we move to our new accounts, everybody got groups, everybody got added to those groups. And every previous permission of, but I used to be able to access S3 and prod, why can't they do it anymore is gone, right?

[00:03:56] Because you shouldn't be able to access prod and S3, you know what I mean? You should not be able to do that. So this is why these groups and teams are so valuable. However, since I'm just making an administrator, I'm just gonna scroll down. Again, disregard any of my existing groups, and then you'll see Attach permissions policies.

[00:04:16] What's nice about Amazon is they have a ton of really great permission sets that are already set up, that already kind of help you understand what you might want. And if you just type in Admin, you'll see a bunch of options related to administration of different parts of their infrastructure.

[00:04:34] So for example, if you had somebody managing API gateway, you could make them an API gateway admin, right? You don't have to worry about the rest of the account being exposed, right, things like that. In this case, we just want AdministratorsAccess, and this one is the good old star star.

[00:04:49] This is the most terrifying and most granting access you can have on Amazon, the double star. However, this does really make sure that if you're trying to create anything, manage anything, you're not gonna get blocked by it. So be aware of that, you are in God mode. We're going to click Create group.

[00:05:09] And bam, we have our now brand new created group. So now that we have our group, the next thing we wanna do is actually create a user. So then we go in, we click Create users, or Users, we click Create user, and we give it a name. Now, I normally just give it like myself, some people put in their email address.

[00:05:26] It's up to you, honestly. Doesn't have to be an email, it can be flippy flop. It doesn't matter. It's just whatever you wanna use to log in with, that's up to you. So in this case, I would do example. Now, before I move forward, what I wanna do is I wanna click Provide user access to AWS Management Console.

[00:05:46] The thing I'm logged into right now is the management console, right? So I wanna be able to let others like myself log into it as well. So I'm gonna click this, and then you'll notice that it says, hey, Are you providing console access to a person? This is new, but this is actually really nice new feature that Amazon has provided that we're not gonna use.

[00:06:05] [LAUGH] But it's essentially another layer of abstraction that they have now made for users identities. And so if you wanted to, you could actually create a user in what they call Identity Center. Homework for you guys. Take a look at it, explore it, I would recommend it. We're not gonna do that right now, though, we're just gonna create a normal IAM user.

[00:06:26] So I'm gonna click I want to create an IAM user. Now, it's up to you if you wanna autogenerate a password and then be asked to rechange it when you sign in. Or if you wanna uncheck that, and then just click Custom password and put in your own password.

[00:06:41] It's up to you, whichever you wanna do. In my case, I'm just gonna autogenerate cuz I'm not gonna use this account, and then I'm gonna click Next. Here's the group's part. This is why we created our group first, because if not, then I'd have to go Create group.

[00:06:57] I'd have to be pulled out of the flow, go back through the whole process, and then come back. So that's why we created our group first. We click on that Administrators2, hit Next. And then this is our Review and create, so we'll see User name, example, password, Autogenerated.

[00:07:13] I'm in the administrators account or administrator's group, and I hit Create user. Did anyone have any problems doing that? No, cool. Okay, so once you click Create user, you're at the point now where Amazon actually does some nice things for you. This used to not be done by the way.

[00:07:35] [LAUGH] They used to not do this, but I think they realized that people don't copy things well. And so what you can do is you have two options. The first thing is you can copy your console URL. So this is something I would note. This is something you're gonna need, so you can copy it and just create a new tab for that cuz that's what you're gonna wanna log in with.

[00:07:53] You'll notice that it prepopulates your account for you, which is nice. You will also notice, I got logged out, but you'll also notice that your password was there, too, right? So you can save your credentials, you can copy your password. But realistically, you wanna get to where I am now, which is you wanna log out, right?

[00:08:12] So we've created our account, you wanna log out because we wanna log into the account we just created, right? Now, again, I'm not gonna use that account, I'm gonna use my other account. So I'm gonna go in here, just gonna autofill that, but again, you'll use your credentials, and then you'll log in with that account.

[00:08:42] Cool, I'm actually gonna delete the example user cuz I don't need it. Now, what you'll notice is because I'm an admin, I can even go in and delete users, right? So there's really not much we did here from a security standpoint, except for just give myself a separate account to log in that isn't the root account, right?

[00:09:05] So again, it's really important to note that it's still a complete admin-based account. It's just a separate one from the root account so that that doesn't get compromised.
>> What would the account alias be?
>> The account alias would be your organization name. Yeah, I believe. So you see where it says e.reinert@.

[00:09:30] Wait.
>> Yeah, otherwise, you just get an account ID number.
>> Okay, gotcha. [LAUGH] All good? So this is why we do this first [LAUGH] so we don't have to deal with it again later. How close are we until our next break?
>> I mean, pretty much anytime the next ten minutes.

[00:10:04] Yeah, if you wanna get through this and then we can-
>> Yeah.
>> Take the break and go around. If anybody needs to get the last couple of steps done or caught up, we can take time for that.
>> Perfect, yeah, I was about to say, after this, it's just coding.

[00:10:15] [LAUGH] So yeah, this is, hands down, one of the most difficult parts of this whole thing, so [LAUGH] bear with me. Were you able to get in?
>> I've had to get back into my root user to look at what I named the thing because I didn't save that piece.

[00:10:33]
>> Gotcha, no worries, I'll give you a second here. Is there any questions, by the way? Chat, do you guys have any questions for me, anything you wanna argue with me about for the next few minutes? [LAUGH] We can do that. Gosh, I just opened up, that was a bad idea.

[00:10:58] [LAUGH] And if you guys have any questions as well, feel free to ask.
>> So it should be the user group that it's assigned to?
>> Yes, it should be assigned to the administrator user group, yeah.
>> So Terraform is gonna run as this user that we created?

[00:11:18]
>> Yeah, it's gonna run on that account for now, yeah.
>> Would it be somewhat safer to have it as suma role?
>> Remember that we already made the decision that we're gonna do star star. So if you wanna do it in this account or you wanna do it in another account, maybe for your org, don't do it in your own personal account, that'd be a good idea, yeah.

[00:11:41] But for personal stuff, yeah, it's up to you. It's a good call, that's a very good call. Yeah, again, the only real difference here is just the account cuz it's still the same level. I would say if you wanted to restrict, then yeah, absolutely, you know what I mean?

[00:11:56] There are some limitations with this approach, the first and most important one is Kubernetes. So when you create a Kubernetes cluster, the identity of the IAM user you create it with is actually the only person that can connect to the cluster. They don't really have an easy way of working around that.

[00:12:14] So if you create, say you do have a Terraform user and you create your cluster in Terraform Cloud, right, then the only thing that can access that cluster is the thing in Terraform Cloud. And so in that scenario, then you actually have to take that key, right, connect to the cluster with it and then inject other users that can access to that, yeah.

[00:12:34] Now, if you look in the top right-hand corner, you'll see that mine says ALTF4LLC. So if you go to IAM, So go to IAM, it's in the most obvious place. If you look right here, there's a little option that says Account Alias. And you can actually change this to whatever you want.

[00:12:54]
>> Yeah, what tripped me up actually was in the top right drop-down, it lists the ID with hyphens, and I copy-pasted that.
>> Yep.
>> And is it just needs to be the numbers?
>> Yeah.
>> Yeah, I literally clipboarded that and it brought the hyphens with, which is-

[00:13:10]
>> Weird.
>> Kind of an anti-pattern.
>> That is a big anti-pattern, yeah. I would recommend making an alias just to make it easier so you don't have to remember that. That's why I just made ALTF4LLC for me. So I would recommend that, yeah.