AWS From Scratch 03 - Account Setup

Recap

In AWS From Scratch 01 & 02, you created a new AWS account, Created an Organization to manage your account, and created an administrative user. You have followed the recommended best practices for creating accounts and users so far.

Now you will continue following best practices by configuring your management account, and then add a sandbox account to work on project development.

Management Account

The management account should only be used to manage the organization and member accounts. It should not contain workloads or resources used by workloads (databases, files, etc.).

Customizing the AWS access portal URL

When you login using your non root administrative user, you use the Access Portal URL that was created when you enabled IAM Identity Center.

The url contains numbers and letters and is not easy to remember (which is why you were asked to bookmark it).

To change the URL into something more meaningful, login as the admin user and go to the "IAM Identity Center" console.

Make sure you have the dashboard tab selected. In the dashboard screen you can see the URL that is currently used to login. To change the URL click on the "Customize" button.

Think of a word or phrase that you would like to use to access your portal (I chose aws-from-sractch), and then type it into the form and click the "Save" button.

Notice that when you return to the dashboard, the "AWS access portal URL" has been updated using the subdomain name you typed in. Update your login bookmark! From now on you can use this url to login.

Change Account Settings 

One of the most confusing things about AWS is when you have the wrong region selected and you cant find the resource you are looking for, or accidentally create a resource in the wrong region.

To help with this I find is useful to set a default region every time I create a new account.

To set your default region click on your username at the top right and click on settings from the pop down menu.

This will take you to the "Unified Settings" screen.

Click the "Edit" button in the "Localization and default Region" section to change the default region.

Choose your default language and region, then click "Save settings".

This will take you back to the "Unified Settings" page. If you prefer dark mode, you can click the "Edit" button in the "Display" section and enable this feature as well.

Cloud Trail

Cloud trail logs management events. By default is maintains a 90 day history of these events for free. If you have a large organization that needs to keep these logs for auditing, you can configure "CloudTrail Lake" and or "Trails" to create a data lake of all logs forever.

For now, make sure you are logged in with your administrator account and that the correct region is displayed in the upper right, then type "cloudtrail" into the search bar to locate and then open the "CloudTrail" console.

This will bring up the "CloudTrail" management console.

Click the hamburger (3 horizontal lines) at the upper left to display the CloudTrail menu.

Click on "Event history" to view all management events during the past 90 days.

CloudTrail is free and enabled by default on all newly created accounts. You will only be charged if you decide to keep logs longer than 90 days.

Your First Non Management Account

You've learned a lot about best practices so far. You know that the management account is special and should only be used to manage the organization and logging.

To start using AWS services you should create a sandbox account with access to all AWS has to offer. Once you figure out a product or workload to create, consider creating additional accounts for development and production.

The Sandbox

Login as the administrative user to the management account.

Type "aws organizations" in the search bar at the top and select "AWS Organizations".

This will take you to the "AWS Organizations" console.

Make sure you are on the "AWS accounts" page, then click the "Add an AWS account" button.

Type in Sandbox for the account name, you must use a different email for the email address of the account's owner. Leave the IAM role name as "OrganizationAccountAccessRole" which is the default when creating new accounts.

Once the form is complete click the "Create AWS account" button to continue.

Refresh your screen a few times until the account creation is complete.

The Organizational structure should now be updated with your new Sandbox account. Next you will have to give a user account access to this new account.

Grant Access to the Sandbox

Just like we did for the management account and admin user, you will need to create a permission set that can access the sandbox, then you will need to assign that permission set to a user.

If you are a small company with more than one user, you might want to have one human responsible for organization administration and another human responsible for AWS development.

Assign a user to Sandbox

Since this new account is a sandbox, you should create an administrative permission set so that the person using this set of permissions will be free to do anything and use any service available in AWS to experiment with.

Login as the admin user to the management account, make sure you are in the correct region, then type "IAM Identity Center" in the search bar to open the console.

Choose "AWS accounts" from the menu on the left.

In the "AWS accounts" display you can see that the management account has one permission set called "AdministratorAccess", and that the new Sandbox account doesn't have any permission sets.

Click on the checkbox to the left of "Sandbox", and then click the "Assign users or groups" button.

Make sure the "Users" tab is selected, then click the checkbox next to the username for the admin user, and then click "Next".

Click the checkbox to the left of the "AdministratorAccess" permission set to assign this set of permissions to the user we selected in the previous step, then click "Next".
In the review screen, you will see that we have selected a single user and assigned that user the "AdminstratorAccess" permission set for the account "Sandbox". Click Submit.

For a few seconds a notice on your screen will appear letting you know that AWS is applying the changes you requested. You will then be taken back to the accounts screen, where you can see that your changes have been applied.

Test the Sandbox

Logout of the console by clicking your name at the upper right hand corner and clicking the "Sign out" button.

Use the bookmark you created to login with the administrative user.

You now see that there are 2 accounts listed. This is because the administrative user has access to at least one permission set in both accounts.

If you click on the icon and then click on each account, you should see something like this:

Click on "Management console" under Sandbox, to login to the sandbox account.

Navigate to Account settings and modify the default region for the sandbox account in the same way you did for the management account.

Using the Sandbox

From now on use the sandbox to explore AWS. Only login to the management account when you need to manage the organization, add or remove accounts, etc.