A properly configured AWS account is the foundation of every cloud project. This guide walks through account creation, security hardening, CLI setup, and cost controls — the steps professionals complete before deploying any workload.

Create Your AWS Account

  1. Visit https://aws.amazon.com and click Create an AWS Account
  2. Enter email, password, and account name (use a dedicated email, not personal if possible)
  3. Provide payment information — the Free Tier covers many services for 12 months
  4. Verify identity via phone or SMS
  5. Select a support plan — Basic (Free) is sufficient for learning

After creation, sign in as root only for account-level tasks (billing, account closure). Everything else uses IAM.

Secure the Root Account

The root user has unrestricted access. Treat root credentials like a safe-deposit key.

  # Root security checklist (Console steps):
# 1. IAM → Dashboard → "Activate MFA on your root account"
# 2. Use a hardware MFA (YubiKey) or authenticator app — not SMS for production
# 3. Delete or disable root access keys if any exist
# 4. Store root password in a password manager, not in code
Action Why
Enable MFA Prevents account takeover even if password leaks
No access keys on root Keys in code repos are a top breach vector
Dedicated email Easier to audit and rotate credentials

Create an IAM Admin User

Never use root for daily development or operations.

  1. Sign in as root → IAMUsersCreate user
  2. User name: admin-yourname
  3. Enable Provide user access to the AWS Management Console
  4. Attach policy: AdministratorAccess (learning only — restrict in production)
  5. Require password reset on first login
  6. Enable MFA on this user before storing credentials
  # Create admin user via CLI (run as root or existing admin)
aws iam create-user --user-name admin-simon

aws iam attach-user-policy \
    --user-name admin-simon \
    --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# Create console login profile
aws iam create-login-profile \
    --user-name admin-simon \
    --password 'TempPassword123!' \
    --password-reset-required

Install and Configure AWS CLI v2

The CLI is essential for automation, scripting, and learning service APIs.

  # macOS
brew install awscli

# Linux (x86_64)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscliv2.zip
unzip awscliv2.zip && sudo ./aws/install

# Verify installation
aws --version
# aws-cli/2.x.x Python/3.x.x ...

Configure a named profile for your admin user:

  aws configure --profile admin
# AWS Access Key ID: AKIA...
# AWS Secret Access Key: ...
# Default region name: us-east-1
# Default output format: json

# Use the profile
export AWS_PROFILE=admin
aws sts get-caller-identity

Multiple Profiles 

  # ~/.aws/credentials
[default]
aws_access_key_id = AKIA...
aws_secret_access_key = ...

[staging]
aws_access_key_id = AKIA...
aws_secret_access_key = ...

# ~/.aws/config
[profile staging]
region = eu-west-1
output = json

Verify Access 

  aws sts get-caller-identity
# {
#     "UserId": "AIDAXXXXXXXXXXXXXXXX",
#     "Account": "123456789012",
#     "Arn": "arn:aws:iam::123456789012:user/admin-simon"
# }

# Test a read-only call
aws s3 ls
aws ec2 describe-regions --output table

Set Up Billing Alerts

Surprise bills are the #1 beginner pain point. Configure alerts before launching resources.

  # Create an SNS topic for billing alerts
aws sns create-topic --name billing-alerts

# Subscribe your email (confirm via email link)
aws sns subscribe \
    --topic-arn arn:aws:sns:us-east-1:123456789012:billing-alerts \
    --protocol email \
    --notification-endpoint [email protected]

# Create a budget (Console: AWS Budgets → Create budget)
# Recommended thresholds: $10, $50, $100 or 50%, 80%, 100% of expected spend

Note: Billing metrics are only available in us-east-1 regardless of your workload region.

AWS Free Tier Overview

Service Free Tier (12 months) Always Free
EC2 750 hrs/month t2/t3.micro
S3 5 GB standard storage 5 GB (limited)
RDS 750 hrs/month db.t2/db.t3.micro
Lambda 1M requests/month
CloudWatch 10 custom metrics

Always check AWS Free Tier page — limits change. Set AWS Budgets even on Free Tier.

Enable CloudTrail (Audit Logging) 

  # Create a trail (Console recommended for first setup)
aws cloudtrail create-trail \
    --name management-events \
    --s3-bucket-name my-cloudtrail-logs-unique-name \
    --is-multi-region-trail

aws cloudtrail start-logging --name management-events

CloudTrail records API calls — invaluable for security audits and debugging “who changed this?”

Real-World Scenario: Team Onboarding

A startup with three developers:

  1. One AWS account (or AWS Organizations with separate dev/staging/prod accounts)
  2. IAM Identity Center (SSO) instead of long-lived access keys per developer
  3. Permission sets: DeveloperReadOnly, DeveloperFullAccess (dev account only), Admin
  4. Mandatory MFA via IAM policy condition "aws:MultiFactorAuthPresent": "true"

Common Mistakes

  1. Sharing root credentials with teammates — use IAM users or SSO
  2. Committing access keys to Git — use .gitignore, environment variables, or AWS Secrets Manager
  3. Skipping MFA — takes 2 minutes, prevents catastrophic breaches
  4. Wrong default regionus-east-1 has the most services; choose based on user location for production
  5. No billing alerts — set them on day one

Troubleshooting

Error Cause Solution
Unable to locate credentials CLI not configured Run aws configure or set AWS_PROFILE
AccessDeniedException Insufficient IAM permissions Attach required policy or use admin user
InvalidClientTokenId Wrong or revoked access key Generate new keys in IAM console
MFA required but not provided Account policy enforces MFA Use --serial-number and --token-code with CLI

Best Practices Summary

  • Root account: MFA only, no daily use, no access keys
  • IAM users/roles: least privilege, MFA, rotate keys every 90 days
  • CLI: named profiles, never hardcode credentials
  • Billing: alerts + budgets from day one
  • Audit: CloudTrail enabled in all regions
  • Tags: apply Environment, Owner, Project from the first resource

Next: IAM and Security Basics.