The AWS Management Console is the graphical user interface (GUI) that is used to manage an AWS account. Below is a summary of tasks that can be completed using the AWS Management Console.
Required are email address and password. Next page will require to provide more information including type of account (professional or personal), full name, phone number, country and address.
Next page requires to input a valid credit card. Next page requires to verify the phone number via text message (sms). Next page requires to choose a support plan including basic, developer or business plan. And that is it. We can now log into AWS Management console.
In AWS management console, we go to account settings-->my billing dashboard-->billing preferences
We are now in Billing Management Console. We check receive PDF invoice by email, receive free tier usage alerts and receive billing alerts. Click save preferences.
In Billing Management Console, click Budgets on left side bar menu.
Next page, we will select types of budgets from Cost, Usage, Reservation and Savings plan budget options. Here we will select Cost Budget.
Next page, we will input budget details; Name of budget type, Period (monthly, quarterly and annually), Budget effective dates (recurring budget, expiring budget), start month, Budget amount (Fixed, monthly budget amount), Budgeted amount and Budget optional parameters (choose from unblended, amortized or blended costs and check all types of alrets). Click Configure alerts.
Next page, create alert 1, select from actual costs, forecasted costs, Alert threshold (percentage of budgeted amount, dollar amount), email address for sending alerts to, check or uncheck notify via Amazon simple notification service (SNS) topic and AWS chatbot notifications. Click Confirm Budget.
Next page is confirm budget. Review all options and click Create. That's it. Our first budget alert is now created.
Click Services and search for Cloudwatch. Click Cloudwatch. Click Billing. You might get a region warning. We will change the region to us-east-1. Click on upper right hand corner on current region, from dropdown, select us-east-1. Click Billing on left menu. Click Create Alarm.
Next page is Specify metric and conditions. Scroll down to Conditions. We can select threshold type as Static or Anamoly detection. Select Whenever estimated charges is Greater, Greater or equal, Lower or equal, lower than the threshold value. Click Next.
Next page is Configure actions. In Notification, select from whenever this alarm state is in alarm, OK, Insufficient Data. Select from an existing SNS topic, create a new topic, use topic ARN. Input email address. We have to create a new topic. So we select new topic and input email and click create topic. Once topic is created, Click next.
Next page is Add Name and Description. Define a unique alarm name. Click Next.
Next page is Preview and Create. Review all steps and scroll down to click Create alarm. We will get an email on the email address we have given. Open that received email and click Confirm subscription. That's it. Billing alarm is created.
Its the service which is used to manage AWS user accounts and groups access to various services. The common use of IAM is to manage:
Also
Guidelines that recommend settings, configurations, and architecture for maintaining a high level of security, accessibility, and efficiency.
When a new AWS root account is created, it is best practice to complete the tasks listed in IAM under Security Status, including:
2. Hardware key fob
3. API keys for programmatic (CLI) access
On IAM page, Click Activate MFA on your root account. Click Manage MFA.
Next page is Your Security Credentials. Click Muli-Factor Authentication (MFA). Click Activate MFA. Next pop-up will be Manage MFA device. Choose from Virtual MFA device, U2F security key, Other hardware MFA device. We selected Virtual MFA device and click Continue.
Next pop-up wil be Set up virtual MFA device. First step will be to install a compatible app on our mobile device or computer (click on list of compatible applications to see the list of all apps we can download). Second step will be to scan the QR code OR input secret key. Third step will be to type two consecutive codes. Click Assign MFA. Next pop-up will confirm that MFA is turned for root user account.
In IAM dashboard, click Create individual IAM Users. Click Manage Users. Next page, click Add User. Next page, set user details. Input User name. Select Access Type. Check Programmatic access and AWS Management Console access. For Console password, select from Autogenerated password or custom password. Check Require password reset. Click Next: Permissions.
Next Page is Set permissions. We will need to create a group. Click Create Group. Search AdministratorAccess in Group name placeholder. Check AdministratorAccess under Policy name. Another good option is PowerUserAccess. Click Create Group. Next page, click Next: Tags. We can optionally add email address of users or their job titles as a tag attached to the user. Click Next: Review. Click Create User.
Next page, we will see the user created along with Access Key ID, Secret Access key and password and option to email login instructions. Download the csv file and close the page.
On IAM dashboard, copy the IAM users sign-in link.
Open a new browser window and paste the IAM users sign-in link. On the AWS log-in page, the Account ID will be automatically filled. Input the IAM user name we have just created and copy the password from the CSV file we download earlier. We are now logged in with the user we have just created.
Note: In the previous browser window, our root user will be signed out automatically.
In IAM dashboard, click Apply an IAM password policy. Click Manage Password Policy. Next page, click Set password policy. Next page, Enforce minimum password length is by default checked. We can check other options as per our policy and click save changes.
Best practice is to create Groups and attach policies to those group. Then add users to those Groups. We can also create roles to access one service from another service. For example, a user using EC2 service can access S3 using a role that is permitted to access S3 Service.
There are two types of policies.
1. Managed Policies
are pre-built policies which are built either by AWS or by an administrator inside of our AWS account. These polices can be attached either to an IAM user or an IAM Group.
2. Inline Policies
are policies that can be attached to one user or one group. These are typically used in one-off situations.
An explicit Deny always overrules an allow in any type of policy. Also all actions are by default Deny unless allowed specifically through a managed or inline policy.
Continue to Page 3