Unwrapping a new AWS account, a checklist
Here’s a checklist of what I do when I unwrap a new AWS account.
I’m hoping to get some feedback on what else is being done out there.
I might create separate AWS accounts for these reasons:
– New Client (yay!)
– New Project
– New Environment
We begin cleaning up as root, right after registration is completed.
1) User Setting: Password should be >= 32 char, max-miX3d! (generate programmatically, never re-use)
2) User Setting: Enable MFA
3) Account Setting: Enable IAM Billing Support (AWS Security Blog: “Don’t Forget to Enable Access to the Billing Console!“)
4) Account Setting: Enable AWS Support [optional]
5) IAM > Roles: Create role(s) for Vanilya’s admin(s) to use through role switching
6) IAM > Groups: Create group for local-to-account Vanilya admins [edit: usually skip]
7) IAM > Users: Create users for local-to-account Vanilya admins (download & securely store as: name.lastname.account.aws.yyyy.mm.dd.csv) [edit: usually skip]
8) IAM > Users: Add users to Group created on step #4
9) IAM > Account Settings: Disable unneccessary Security Token Service Regions
10) IAM > Account Settings: Set password policy
11) IAM > Dashboard > Give account a nickname for use in signin URL and other features.
12) Root > Account Settings > Delete Access Keys. (added 12/08/2016)
Switch to an admin user, depending on account either local or through Role.
This switch has the added benefit of immediately testing if you got 4-7 correct.
13) VPC > Delete “default” VPC
14) CloudTrail > Enable
15) Config > Enable
That’s all that comes to mind for now, happy cleaning!
What do you do first in a new account?