Introduction
Deciding to learn cloud computing hands-on is certainly the best way to learn for many people. No amount of tutorial or how-to videos can teach you as much as getting started yourself building your own projects in an environment similar to what the pros use.
Using your own personal account involves adding your own personal credit card, meaning that it is financially dangerous to operate in the cloud without understanding how to configure and protect your accounts. There are numerous stories about beginners mistakenly leaving expensive pay-as-you-go resources running or getting hacked, resulting in a huge bill at the end of the month. For example:
Our aws account with just a average usage of $10 got hacked 90 days back and got a huge bill of ~$70,000. There were several EC2 servers created and used by hackers. We started working with AWS support, secured the account and now working with them to resolve the unauthorized billing issue for last 80 days. AWS support came back…
I don't want that to happen to anyone, whether it be through ones own mistakes or bad actors getting into your account.
General Account and Root Users
Your AWS account is essentially a big container for you to create users that can operate AWS tools and resources.
AWS users are individuals or entities that are granted access to an AWS account. Users can be granted different levels of access and permissions to different services and resources within the account. Starting out within your own account, you would manually create a user in the IAM console and grant administrative access that you can operate tools and resources with.
The root user of an AWS account is the initial user that is automatically created when the account is created. The root user has full access to all of the services and resources within the account, and can perform all actions and make all changes to the account. This user is the most privileged user in the account, and it is generally considered best practice to not use the root user for day-to-day tasks, and instead create and use IAM users for your day-to-day tasks.
If a root user's credentials are compromised, an attacker could cause significant damage to the resources and services in the account, including running up a huge bill and deleting the account altogether.
Additionally, if an action is performed by the root user, it cannot be traced back to a specific individual, making it more difficult to determine who is responsible for any changes or issues that may occur.
To allow identities other than the root user to see the billing console, in your root account, go to the account dropdown menu and scroll down to check the box to allow this under "IAM User and Role Access to Billing Information". Checking this box will allow you to see costs that you are incurring while signed into your admin user, avoiding the need to go into your root account.
Budgets (Avoid the Big Bill)
Once you set up your account with a user created in the IAM console, it is a good idea to add a budget alert in the AWS Budgets console. You can set a nominal amount of money that you are comfortable with spending every month on AWS ($3 or less to start), and have the budgets app send you an alert when a certain threshold of your budget is met (ex. if your budget is $3 and your alert is set to 50% of your budget, you will receive an alert when your costs hit $1.50 that month).
Budget Alerts can be easily set up to be sent through email, although text integration is a bit more complicated. A great AWS beginner project could be to set up Budget Alerts to text you when a threshold is met.
A common misconception about AWS Budgets alerts is that they will shut your cost-incurring resources down once 100% of your budget is used. This is not true, unless you configure Budget Actions. Budget Alerts, however, simply alert you as configured, and do not control the usage of resources in your AWS account.
Multi-Factor Authentication
In accordance with best security practices in the cloud, all of your account users should be required to sign in using Multi-Factor Authentication. This can be set up under the "security credentials" button on the dropdown menu in the top righthand corner of the console webpage.
Scroll down to the widget titled "Multi-Factor authentication (MFA)" and set up your authenticator, using a third party MFA application. I use Google Authenticator and it works very well for me.
The Importance of Having Multiple Accounts
To understand and emulate many important cloud concepts and tools used in enterprise scenarios, you need to create multiple accounts. This is because businesses use multiple accounts for development, testing and production and may choose to separate accounts for different teams within the company. Features and tools such as cross-account object access and CI/CD deployments require multiple accounts to effectively replicate in your personal environment. I have an initial account that I build and test in called my "dev" account and another that I finally deploy apps into called my "prod" account.
To create another AWS account, you will need another email address. Thankfully, many popular email servers support the use of the "+" character to create a new, unique email address using your main email address. Some examples include:
-Google: You can add a "+" sign followed by any string of characters before the "@" symbol in your email address. For example, if your email address is "example@gmail.com", you could create a new email address by using "example+prod@gmail.com".
-Yahoo: Similarly, you can add a "+" sign followed by any string of characters before the "@" symbol in your email address.
-Microsoft: Outlook and Hotmail support this feature, using a "+" sign followed by any string of characters before the "@" symbol in your email address.
Make sure you configure a non-root user, MFA and use unique passwords on each account that you create.
Conclusion
Starting your own AWS account is a great move to learning cloud computing and building innovative applications and more using the uniquely powerful resource of the cloud. The combination of a lack of attention to the cloud's pay-as-you-go model and cunning cyber-criminals have caught quite a few people off-guard with large bills, but you can avoid this issue using billing alerts and configuring MFA.
Good luck and cloud on!! :)
Top comments (0)