In my ongoing startup infrastructure series, I began by securing the most critical part of any AWS account: the root user and access management layer.
This first step is simple, but extremely important: lock down root access and establish a proper identity system.
A complete hands-on version of this setup is also available on GitHub repo:
https://github.com/skysea-devops/startup-aws-infra-setup-guide/tree/main
Why This Setup Is Important
This setup is aligned with AWS best practices, particularly the AWS Well-Architected Framework principles:
https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html
The root account in AWS has unlimited permissions. If compromised, everything is exposed: infrastructure, data, billing, and even account ownership.
At the same time, poorly managed access (shared credentials, no MFA, direct IAM users) becomes chaos very quickly in a growing startup.
So the goal of Day 1 is clear:
- Secure root access
- Eliminate risky login patterns
- Establish scalable access control via IAM Identity Center (SSO)
Step 1 — Enable MFA on Root Account
The very first thing you should do after creating your AWS account is enabling Multi-Factor Authentication (MFA).
Avoid relying only on passwords. MFA ensures that even if your credentials leak, your account remains protected.
Setup Flow
- Go to: Account → Security Credentials → MFA → Assign MFA
- Choose Authenticator app
- Scan QR code with your phone
- Enter two consecutive codes
Once completed, AWS will confirm:
“You have successfully assigned this virtual MFA device.”
At this point, your root account is significantly more secure.
Important Rule
Never use the root account for daily operations.
Use it only for:
- Billing
- Account-level changes
- Emergency recovery
Step 2 — Enable IAM Identity Center (SSO)
After securing root, the next step is eliminating direct access usage and moving to a centralized identity system.
AWS provides this via: IAM Identity Center (formerly AWS SSO)
Why IAM Identity Center?
Instead of creating IAM users, sharing credentials across team members, and manually managing passwords, you can adopt a much more structured and secure approach.
By using IAM Identity Center, you gain centralized access control, a seamless SSO login experience, built-in MFA enforcement, and a cleaner, more scalable DevOps workflow overall.
Search in AWS Console:
IAM Identity Center → Enable
At this stage, AWS gives you two options for enabling IAM Identity Center:
Account instance (single account)
Organization instance (recommended)
Since I’m building this setup for a startup with scalability in mind, I chose:
Enable with AWS Organizations
You must choose a region.
Recommended:
eu-west-1
us-east-1
This choice is not easily changeable later, so pick carefully.
Encryption (KMS)
Under Advanced Configuration, AWS asks:
Key for encrypting IAM Identity Center data at rest
You have two options:
Use AWS owned key (recommended for most startups)
Use a custom KMS key (advanced)
For now, I selected:
Use AWS owned key
Reason:
Simpler setup
No key management overhead
Fully secure for standard use cases
You can always migrate to a custom KMS later if needed.
Step 2 — Create Permission Sets
At this stage, IAM Identity Center is enabled, but no one has access yet. Before creating users, you need to define what kind of access they will have.
This is done through Permission Sets. Think of these as role templates.
Navigate to:
IAM Identity Center → Permission sets → Create permission set
Name | Policy | Use Case
Admin | AdministratorAccess | Founders / Infra
PowerUser | PowerUserAccess | DevOps / Engineers
Admin Permission Set
- Full access to all AWS services
- Should be limited to very few users
- Used for infrastructure ownership
PowerUser Permission Set
- Broad access to services
- Cannot manage IAM
- Ideal for developers and DevOps engineers
Step 3 — Create Your First User
IAM Identity Center → Users → Add user
Define:
- Username
- Email address
- First & last name
AWS will send an invitation email for first-time login.
Step 4 — Assign Access
This is where everything connects. You now link:
User → AWS Account → Permission Set
Navigate:
IAM Identity Center → AWS Accounts → Assign users or groups
Assignment Flow
Select AWS Account
Select User (or Group)
Choose Permission Set
Confirm
Step 5 — Enforce MFA for All Users
Even though root MFA is enabled, you must enforce MFA for all SSO users. Because MFA:
- Protects against credential leaks
- Enforces security across the team
- Standard best practice for any production setup
Navigate to:
IAM Identity Center → Settings → Authentication → Require MFA
Access Portal Login:
Users will log in through a centralized access portal provided by AWS, using a unique URL such as https://xxxx.awsapps.com/start. This portal acts as the single entry point for all users, where they authenticate with their credentials and complete MFA verification before accessing their assigned AWS accounts and roles.
After logging in through the Access Portal URL, users are presented with a centralized dashboard where they can see all AWS accounts and roles assigned to them.
At this point, the AWS account is no longer a single-user environment but a structured, secure, and scalable access system. This foundation is critical before provisioning any infrastructure.
Top comments (0)