The First Things You Should Do After Creating an AWS Account – 2019 Edition (translated)

2021.08.14

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

About

This is a translation of the following article:

The First Things You Should Do After Creating an AWS Account - 2019 Edition (translated)

Introduction

This is Nakayama (Nobu).

About four years ago, I posted an slide with the same theme as the title of this article, but some of the content was old or did not include new services, so I put it together again. It's also because of 2019 now !.

Here's the slide at that time (about two years before I joined Class Method).

The first thing you should do after creating an AWS account

  • Sign up
    1. (For business use) Sign up with a non-personal email address
    2. Check your support plan
  • ID management / Permission management
    1. Enable CloudTrail
    2. Configure MFA settings for the root account
    3. Create IAM User / IAM Group
    4. Configure password policy
    5. Enable GuardDuty
    6. Enable Security Hub
  • Billing
    1. Allow IAM User access to billing information
    2. Change payment currency
    3. Configure Budget
    4. Enable Cost Explorer
    5. Output Cost Usage Report
    6. Configuring Cost Allocation Tags
  • Others
    1. Configure alternative contact info
    2. Configure Trusted Advisor notification settings
    3. Enabling Config
    4. Event monitoring with Personal Health Dashboard
    5. Check available regions
    6. [New] Change Governing Law/Jurisdiction by Artifact

Revision History

  • 2019.05.20 Added about Change Governing Law/Jurisdiction by Artifact (Thanks to id:Kil for his comment on Hateb.)

1. (For business use) Sign up with a non-personal email address

Even though the title is "When you create an AWS account -", I'll start mentioning the signup process.

When you create an AWS account, you will need the following information

  • Email address
  • Credit card information
  • Phone number that can be used to verify your identity (voice call or SMS)

Of these, the email address should not be a personal one, but rather a mailing list that can be received by multiple (but trusted and limited) members.

Immediately after signing up, only the root account with this email address as its ID can operate the AWS account. Basically, the idea is to control the AWS account with IAM User, etc., as described below, but there are some tasks that can only be controlled by the root account.

AWS Tasks That Require AWS Account Root User Credentials

If you create an account with a personal email address and that person leaves the company and cannot log in with the root account, you will not be able to perform the above task. Privileges are problematic when they are available to everyone, but they are also problematic when they are available to only one person.

2. Check your support plan

When you sign up, you can choose your support plan. Each plan has different response times for inquiries, so choose the plan that matches your business requirements.

Compare AWS Support Plans

3. Enable CloudTrail

From here, we will introduce security-related matters. First, let's enable CloudTrail.

CloudTrail is a service that collects operation logs for AWS APIs.

What Is AWS CloudTrail?

By enabling CloudTrail, you can see "who", "when", and "what" was done to your AWS account. The actual log files can be seen in the sample documentation.

CloudTrail Log File Examples.

This makes it possible to respond to audits and investigate the cause of problems when they occur (e.g., identify erroneous operations). It will also serve as a deterrent against internal fraud.

However, please be careful when granting permissions to prevent CloudTrail from being disabled or logs from being altered or deleted. Also, not all services/actions are supported.

CloudTrail Supported Services and Integrations

CloudTrail Unsupported Services

Let's go over the steps so that we can reference/analyze the logs as needed. Personally, I think the CloudTrail console is sufficient in many cases, but consider using Athena queries or CloudWatch Logs Insights if necessary.

Querying AWS CloudTrail Logs

Sample Queries (Queries for CloudTrail Logs)

4. Configure MFA settings for the root account

Let's configure MFA settings for the root account.

The root account has the ability to perform any operation on your AWS account and this privilege cannot be reduced. Therefore, you need to add an authentication factor to protect it from being hijacked. A device compliant with RFC6238 (Time-based One-time Password) and a U2F security key can be used.

Enable MFA on the AWS Account Root User

If you forget your password, you can reset it using the email address you set when you signed up, but what about MFA? If you lose your MFA device or key, you can reset it using the email address and phone number set in your account.

What If an MFA Device Is Lost or Stops Working?

To prepare for this situation, make sure to set the email address and phone number to be available.

5. Create an IAM User / IAM Group

Let's create an IAM User that will be assigned to members who will be building and operating in AWS. Also, let's create an IAM Group to grant permissions to the IAM User.

As already mentioned, you cannot restrict the privileges of the root account. Also, if you share the root account, you will not be able to identify "who" performed the operation even if you save the log with CloudTrail.

For this reason, issue an IAM User to each individual who operates the AWS account.

Create Individual IAM Users

In addition to that, create an IAM Group to grant permissions to the IAM User. You can grant privileges to the IAM User by granting privileges to the IAM Group and making the IAM User a member of the IAM Group. You can also grant permissions directly to IAM Users, but this becomes more difficult to manage as the number of IAM Users increases.

Use Groups to Assign Permissions to IAM Users

The next step is to grant permissions to the IAM Group, which should be basically minimal. However, I think it is difficult to define strict permissions right away. I think the best place to start is to use the management policies predefined by AWS.

Grant Least Privilege

Get Started Using Permissions With AWS Managed Policies

You should also enable MFA for IAM Users with strong permissions.

Enable MFA for Privileged Users.

Topics mentioned above are described in the IAM Best Practices, so please refer to them as needed.

6. Configure the password policy

Change your password policy to reduce the risk of your password being guessed.

The password policy allows you to specify the type of characters that must be included in the password, as well as the length and expiration date of the password.

Setting an Account Password Policy for IAM Users

Configure a Strong Password Policy for Your Users

There are more and more cases where regular password rotation is not recommended, but it is important to take appropriate measures such as adding authentication factors such as OTP and not using them all the time.

Secure Password Management

7. Enable GuardDuty

GuardDuty is a service that detects/notifies you of suspicious activity in your AWS account.

It can detect suspicious activity from the following data sources

  • AWS CloudTrail event logs
  • VPC Flow Logs
  • DNS logs

Please refer to the following document for the events that can be detected.

GuardDuty Active Finding Types.

Detected events can also be notified via CloudWatch Events.

Monitoring Amazon GuardDuty Findings with Amazon CloudWatch Events

8. Enable Security Hub

Security Hub is in preview as of May 19, 2019.

Note by translator: AWS Security Hub is generally available on Jun 24, 2019

Security Hub is a service that allows you to view the aggregate security status of your AWS account. It aggregates events from GuardDuty, Inspector, and Macie, and also shows risks based on the CIS AWS Foundations Benchmark.

It will show you any suspicious activity or problematic settings (and omissions) in one place, so you should enable it.

Setting Up AWS Security Hub

9. Allow IAM User access to billing information

This section is all about costs/billing.

First, we need to allow IAM Users to access cost information. By default, only the root account has access to cost information.

It is important to allow this since cost management is an important regular task.

Granting Access to Your Billing Information and Tools

10. Change Payment Currency

In the past, charges to registered credit cards were made in US dollars (the exchange rate to be applied was determined by the credit card company). However, now you can choose from multiple currencies. By choosing Japanese yen, you can reduce the cost equivalent to foreign currency handling fees.

As a reminder, AWS fees are still dollar-based. The amount billed in Japanese yen itself is determined by the exchange rate at the time of billing (the exchange rate to be applied is determined by AWS).

Changing Which Currency You Use to Pay Your Bill

11. Configure Budget

Budget is a service to monitor the cost of your AWS account.

You can be notified when a predetermined cost is reached or expected to be reached. You can also monitor the usage of some billing elements (such as data transfer volume) only.

Monitor your monthly budget to make sure you don't exceed it.

Managing Your Costs with Budgets

12. Enable Cost Explorer

Cost Explorer is a service that allows you to visualize and analyze your AWS usage. You can check the cost of each service and the monthly cost trend. In addition, it can show you the recent recommendations for reserved instances.

Accessing Reserved Instance Recommendations

However, it is disabled by default, so you should enable it when you create your account.

Enabling Cost Explorer

13. Output Cost Usage Report

Cost Explorer is sufficient for simple cost analysis, but if you want to perform more detailed analysis, you should output a Cost Usage Report.

Normally, the report is output to S3 in CSV format (GZIP compressed). If you specify to work with Athena, it will be output in parquet.

Creating an AWS Cost and Usage Report

14. Configuring Cost Allocation Tags

When analyzing costs in detail, there may be cases where you want to analyze them from a unique perspective. In this case, you can enable cost allocation tags.

There are two types of cost allocation tags: AWS-generated tags and user-defined tags. Use user-defined tags if you want to analyze the data from your own perspective. When activating user-defined cost allocation tags, create and tag resources in advance before implementing them.

Activating the AWS-Generated Cost Allocation Tags

Activating User-Defined Cost Allocation Tags

15. Configure alternative contact info

You can set up alternate contact information for your AWS account other than the one you set up when you signed up.

Specifically, you can set up the following three types of alternate contacts

  • Billing
  • Operations
  • Security

Security, in particular, will be contacted by the Abuse Team in the event of a breach of credentials. If you have a team dedicated to security incidents, you may want to set the contact information for them.

Adding, Changing, or Removing Alternate Contacts

16. Configure Trusted Advisor notification settings

Trusted Advisor is a service that checks whether you are following best practices in terms of "cost", "performance", "security", "reliability", and "service limitations".

AWS Trusted Advisor

It is enabled by default, but users themselves need to refer to it actively via the console or other means. The result of the check can be notified to the alternate contact.

If you want to check the results periodically, configure the notification settings.

17. Enable Config

AWS Config is a configuration management service that allows you to track what changes have been made around a resource / its relationship with other resources.

Please refer to the following document for the resources that can be managed.

AWS Config Supported AWS Resource Types and Resource Relationships.

Config also has a configuration monitoring feature called Config Rule that detects/notifies you that a resource is in the right state. There are a number of predefined rules, and you can enable the rules you need. It is also possible to define your own rules. But be careful about the cost (a little expensive).

List of AWS Config Managed Rules

AWS Config pricing.

It is also possible to automatically fix problematic conditions. Consider using it depending on your requirements.

Remediating Noncompliant AWS Resources by AWS Config Rules

18. Event monitoring with Personal Health Dashboard

Personal Health Dashboard displays events when the resources you have created are affected by maintenance or by a major outage.

You can use CloudWatch Events to be notified of events.

Monitoring AWS Health Events with Amazon CloudWatch Events

19. Check available regions

After the launch of the Hong Kong region, the new region will be disabled by default.

If you want to use a region that is disabled by default, you should enable it.

Enabling and Disabling Regions

20. [New] Change Governing Law/Jurisdiction by Artifact

In general, the AWS Customer Agreement states that the governing law is The laws of the State of Washington and the court of jurisdiction is The state or Federal courts in King County, Washington.

AWS Customer Agreement

If you want to change the governing law to Japanese law/jurisdictional court to Tokyo District Court, you used to have to sign a separate written agreement. Now, it is possible to change it in Artifact. Please check the following blog for details.

日本準拠法に関する AWS カスタマーアグリーメントの変更: AWS Artifact.

Make changes if necessary.

Summary

Security Hub / Trusted Advisor / Config Rule are a little bit overlapped, but I think you can focus on the necessary settings after actually configuring and operating them first. Also, in some cases, it may be sufficient to create AWS accounts for different purposes and use them separately for Cost Usage Report and Cost Allocation Tags (billing will be divided). Please make your own decision in this area.

I hope the above is helpful. If there is anything else I should do, please feel free to leave a comment.