Cloud computing and storage services are becoming an essential for many businesses. As a more versatile and easier to scale option than on-premise solutions, their demand has noticeably increased. As businesses look toward these solutions, developers must grow and adapt. Students or professionals without much AWS experience can broaden their skillset by playing around with these platforms. Luckily for this demographic (myself included), the three main cloud providers—-Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure—-all offer free tiers to get started learning and experimenting.
These services are much different than what’s learned in the sometimes archaic education system, so they can be confusing and easy to get wrong when learning. The goal for this article is to demonstrate how to set up a personal-use Amazon Web Services account according to some best practices for Identity and Access Management (IAM). This will be targeted at students and professionals without much AWS experience, and should be about a 10 minute read (although you’re encouraged to try things out yourself). Learning how to properly setup and authenticate your work in the cloud is important for three reasons: 1) to mitigate any opportunities to compromise yourself, your work, your billing information, or other sensitive data, 2) to mitigate any opportunities to mess up and get frustrated, and 3) it’s always good to follow best practices!
If you’re just getting started working with cloud services or are looking to begin, I think this article presents a good first or second step. I recommend following the tips at the bottom as soon as you feel ready!
For me, one of the most difficult aspects of learning how to use cloud services was hurdling over the increase in vocabulary. Many terms are polysemous with other developer terms and appear to be drawn together from a variety of computing subdisciplines. Quickly, I’ll introduce some key terms which you should be familiar with as you endeavour into space.
The first key to securing your AWS account and ensuring your permissions won’t allow you or others to intentionally, or otherwise, compromise your account, is to follow the least privileges model. Under this mindset, we only assign permissions as they’re needed. This ensures no user is too privileged, to the point where they may accidentally harm the account.
Most importantly, make sure that you set up a non-root user. You’ll almost never want to use the root user. Instead, here I’ll guide you to setting up an Administrator user. Administrator accounts don’t get to access things like billing information and cost management, although they can do things like manage users and groups which less powerful users cannot.
To add an administrator user to your personal AWS account, navigate to your AWS home, where you’ll see an option to add a user. Name your new user
Administrator or something like it. I assume you’re working through the console, but may later want to set up the AWS command line tools, so check off programmatic and AWS Management Console access. Choose to set a password later (if you set one now you’ll still have to reset it later). We’ll create a new group of users called
Administrators and select the
AdministratorAccess policy. Skip the Tags section and review what you’ve done. There will be a link in the success box which, upon clicking, will log out the root user and prompt you to log in under a new user. Your username is
Administrator (or whatever you chose) and the password was that which was generated.
My second tip is to set up Multi-Factor Authentication (MFA). This is an added layer of protection from anyone unwanted accessing your account, which becomes more important your projects and work scale up. For students at UC San Diego, we’ve become accustomed to using Duo Security as a two-factor authentication system. With Duo, when you log in with your username and password, you’ll also be prompted for an authentication response within the app.
To set up MFA, navigate to your AWS IAM home, where there will be an accordion of security credential options. Select to activate MFA, and choose
Virtual MFA Device. Open Duo, scan the QR code, and enter in the authentication keys. Done!
That’s it for this post, but I encourage you go on and explore the IAM aspect of AWS further, especially in regards to the policies and roles that may be set. Once we begin setting up services like Lambda and DynamoDB, it will be important to only allow the bare minimum of what they need to access.