Avoid Financial Ruin by Configuring Your AWS Account(s) Correctly as a Beginner

Thomas Rauffenbart — Sat, 21 Jan 2023 22:02:10 +0000

Introduction

Deciding to learn cloud computing hands-on is certainly the best way to learn for many people. No amount of tutorial or how-to videos can teach you as much as getting started yourself building your own projects in an environment similar to what the pros use.

Using your own personal account involves adding your own personal credit card, meaning that it is financially dangerous to operate in the cloud without understanding how to configure and protect your accounts. There are numerous stories about beginners mistakenly leaving expensive pay-as-you-go resources running or getting hacked, resulting in a huge bill at the end of the month. For example:

AWS account hacked with huge bill of ~$70,000

Sep 13 '22 Author: PictureSilent2072

Our aws account with just a average usage of $10 got hacked 90 days back and got a huge bill of ~$70,000. There were several EC2 servers created and used by hackers. We started working with AWS support, secured the account and now working with them to resolve the unauthorized billing issue for last 80 days. AWS support came back…

See Full Post

I don't want that to happen to anyone, whether it be through ones own mistakes or bad actors getting into your account.

General Account and Root Users

Your AWS account is essentially a big container for you to create users that can operate AWS tools and resources.

AWS users are individuals or entities that are granted access to an AWS account. Users can be granted different levels of access and permissions to different services and resources within the account. Starting out within your own account, you would manually create a user in the IAM console and grant administrative access that you can operate tools and resources with.

The root user of an AWS account is the initial user that is automatically created when the account is created. The root user has full access to all of the services and resources within the account, and can perform all actions and make all changes to the account. This user is the most privileged user in the account, and it is generally considered best practice to not use the root user for day-to-day tasks, and instead create and use IAM users for your day-to-day tasks.

If a root user's credentials are compromised, an attacker could cause significant damage to the resources and services in the account, including running up a huge bill and deleting the account altogether.

Additionally, if an action is performed by the root user, it cannot be traced back to a specific individual, making it more difficult to determine who is responsible for any changes or issues that may occur.

To allow identities other than the root user to see the billing console, in your root account, go to the account dropdown menu and scroll down to check the box to allow this under "IAM User and Role Access to Billing Information". Checking this box will allow you to see costs that you are incurring while signed into your admin user, avoiding the need to go into your root account.

Budgets (Avoid the Big Bill)

Once you set up your account with a user created in the IAM console, it is a good idea to add a budget alert in the AWS Budgets console. You can set a nominal amount of money that you are comfortable with spending every month on AWS ($3 or less to start), and have the budgets app send you an alert when a certain threshold of your budget is met (ex. if your budget is $3 and your alert is set to 50% of your budget, you will receive an alert when your costs hit $1.50 that month).

Budget Alerts can be easily set up to be sent through email, although text integration is a bit more complicated. A great AWS beginner project could be to set up Budget Alerts to text you when a threshold is met.

A common misconception about AWS Budgets alerts is that they will shut your cost-incurring resources down once 100% of your budget is used. This is not true, unless you configure Budget Actions. Budget Alerts, however, simply alert you as configured, and do not control the usage of resources in your AWS account.

Multi-Factor Authentication

In accordance with best security practices in the cloud, all of your account users should be required to sign in using Multi-Factor Authentication. This can be set up under the "security credentials" button on the dropdown menu in the top righthand corner of the console webpage.

Scroll down to the widget titled "Multi-Factor authentication (MFA)" and set up your authenticator, using a third party MFA application. I use Google Authenticator and it works very well for me.

The Importance of Having Multiple Accounts

To understand and emulate many important cloud concepts and tools used in enterprise scenarios, you need to create multiple accounts. This is because businesses use multiple accounts for development, testing and production and may choose to separate accounts for different teams within the company. Features and tools such as cross-account object access and CI/CD deployments require multiple accounts to effectively replicate in your personal environment. I have an initial account that I build and test in called my "dev" account and another that I finally deploy apps into called my "prod" account.

To create another AWS account, you will need another email address. Thankfully, many popular email servers support the use of the "+" character to create a new, unique email address using your main email address. Some examples include:

-Google: You can add a "+" sign followed by any string of characters before the "@" symbol in your email address. For example, if your email address is "example@gmail.com", you could create a new email address by using "example+prod@gmail.com".

-Yahoo: Similarly, you can add a "+" sign followed by any string of characters before the "@" symbol in your email address.

-Microsoft: Outlook and Hotmail support this feature, using a "+" sign followed by any string of characters before the "@" symbol in your email address.

Make sure you configure a non-root user, MFA and use unique passwords on each account that you create.

Conclusion

Starting your own AWS account is a great move to learning cloud computing and building innovative applications and more using the uniquely powerful resource of the cloud. The combination of a lack of attention to the cloud's pay-as-you-go model and cunning cyber-criminals have caught quite a few people off-guard with large bills, but you can avoid this issue using billing alerts and configuring MFA.

Good luck and cloud on!! :)

Cloud Resumé CHALLENGE

Thomas Rauffenbart — Thu, 22 Dec 2022 18:55:01 +0000

After earning my AWS Solutions Architect Associate certification in November, 2022, I came across the Cloud Resume Challenge as a way to dive into the cloud and DevOps in a hands-on way. I knew that it would be difficult, but the challenge proved to be greater than I anticipated as a total programming newbie. Working in the CLI, with Python, SAM, GitHub Actions and JavaScript for the first time put a lot of learning on my plate that I am incredibly grateful for.

A description of the challenge and its variations can be found here: https://cloudresumechallenge.dev/docs/the-challenge/aws/

Front End:

I kept my front-end very bare bones regarding HTML and CSS, since UI/UX and web development are not a career path that I am aiming to go down, but I did my best to keep my resume relevant and my format as clean and easy to read as possible. I did much of my styling in HTML.

The HTML and CSS documents were uploaded to an S3 bucket that was configured to host a static website and connected to a CloudFront distribution and Route 53 DNS service (where I bought my domain for $12)

The biggest challenge with the front end was getting it to integrate with my backend code to display the "Visitor Counter" number at the bottom of the page. After many tries and hours of work, I was able to use a GetElementByID function to display the visitor count returned from my backend whenever the page is loaded.

My biggest tip for this section is to host your html page locally while you make changes, so you can see in real time how your webpage will look with the changes that you are making. It is extremely time consuming and painful to make edits to an HTML index document, upload to S3, invalidate a CloudFront endpoint and reload the page just to find out that the formatting is off or your visitor count is not displaying :')

I used npm to host my page locally set up via the terminal CLI.

Back End

This is where the challenge really started for me and where 90% of my learning happened. The challenged called for using the AWS SAM, to deploy Infrastructure as Code for the Serverless visitor counter using API Gateway, Lambda (with Python code), and a DynamoDB table.

The SAM tool was not very easy to use and apparently out of vogue in the world of DevOps and Cloud, I recommend anyone doing the challenge to use Terraform and the Cloud Development Kit instead. This will help you gain more relevant skills to the job market and (probably) save you some time.

SAM would not deploy due to a small error in my YAML template which defined the Lambda, API and DynamoDB table. The tool did not tell me that this was the error and simply returned a "failedtocreatechangeset" message. The lack of feedback as to why my deployment was failing led to an extended period of problem solving on this step of the challenge.

Hopefully documentation and instructions on the challenge are updated to guide users to use Terraform and CDK and discourage the usage of SAM, since it is no longer commonly used in the industry.

I used SAM pipelines for the CI/CD pipelines, I found there to be a lack of an easy path to a multi-account deployment (utilizing my dev and prod accounts) with SAM pipelines. I deployed both stacks into my general account, and used a !Sub variable for the DynamoDB table name to avoid errors resulting from having 2 tables with the same name, which caused my Prod-stack to fail prior to adding the variable.

All in all...

I want to give a shoutout to the Discord community associated with the project. I went to this community for guidance a couple of times when I was struggling with the challenge and they were helpful and encouraging in their responses.

Credits to the challenge creator, Forrest Brazeal,

and happy holidays to you all :)

My Resume site

DEV Community: Thomas Rauffenbart