I have decided to pursue the AWS Solution Architect certification program so this is a quick blogpost on how to enable the Amazon AWS Free Tier. I will be using this environment for labs during my study but I am kind of hoping I will be able to build some hybrid cloud use cases by hooking up my AWS environment to my VMware vSphere 6.5 lab environment. I am currently watching the excellent ‘AWS Certified Solutions Architect – Associate 2017‘ training video series by A Cloud Guru. If you want to know more about AWS, I absolutely recommend following these guys. They are doing amazing things within the AWS community!
What is the AWS Free Tier
The name says it all. AWS provides alls sorts of cloud services (in a resource limited capacity that is) for free. There are certain services which are free for 12 months and there are services which are always free. For example: you will receive 5GB per month of S3 storage and 750 hours EC2 for micro sized instances for 12 months. Lamda requests are free forever if you do not exceed 1,000,000 requests per month. Make sure to check out https://aws.amazon.com/free/ for specific details and conditions. The free tier is an excellent way to get familiar with AWS. There are even cool startup companies out there that based their business and consumption model entirely on the free tier. I heard the CEO of Blendle explain in the Dutch 216 AWS Summit keynote presentation how they only make use of the free tier for their revolutionary news subscription service … until a customer actually buys an article from them. That’s pretty amazing!
Sign up for the AWS Free Tier
I will be using the free tier mainly for study purposes. You can sign up on the Free Tier webpage by clicking on the Create Free Account link:
Maybe there is some workaround but the easiest setup is to simply add a creditcard to your account. The signup process is pretty straightforward. You will receive a welcome email message from AWS, confirming your 12 month access to the Free Tier:
Security setup (IAM)
Secure your root account with MFA
After signing in to the AWS console for the first time, your first priority is to secure your root account with MFA (Mult-Factor Authentication). Remember, your creditcard is linked to your AWS root account! You don’t want your account hacked and someone spinning up some monster EC2 instances just for fun. Secure it! Here’s how:
In the AWS Console, go to the IAM service. Notice IAM is a global service so it does not matter which region you choose. You will see a 5-step wizard with step 2 being ‘Activate MFA on your root account’:
- Expand step 2 and click Manage MFA.
- Select virtual MFA device
- You will get a popup message about downloading a compatible MFA app for your smartphone. I am using Google Authenticator on my iPhone
- Link your MFA app to your AWS root account by entering two consecutive codes
- Refresh your browser and you will get a checkmark at step number 2
Create a user-friendly IAM sign-in link
In the top of the IAM screen you will notice a sign-in link starting with a number. This is your AWS account number. You can create a user-friendly sign-in link by clicking ‘Customize’. This will create a new DNS namespace so it has to be a unique name:
Create a new IAM user
As a security best practice, you should limit the use of your AWS root account. We will be creating a new IAM user in step 3 of the 5 step security wizard.
Expand step 3, click ‘Manage users’ and select ‘Add user’. You can choose to allow ‘Programatic access’ or access via the ‘AWS Management Console’. For lab purposes, I selected both options:
Create a group and assign permissions
The next step is to assign permissions. This is done by placing the new IAM user in a group. I will create a group called ‘aws-admins’. To set full access admin permissions for this group, I assign the ‘Administrator Access’ policy. You can expand each policy and, either view a plain English summary or look directly at the JSON code. I am no JSON expert but I think I understand the code for the ‘Administrator Access’ policy:
Assign the policy to the group and proceed. You can review a summary and click on create user. The following screen displays some very important security information, which you should take notice of:
I highly recommend you download the CSV file with the security information and store it in a safe place. You can use the ‘Access key ID’ together with the ‘Secret access key’ to programatically access your AWS account. You can use the username and password combination to login to the AWS Management console. You can choose to email instructions to a specified email address of the newly created user.
This ticks off steps 3 and 4, which leaves the final step of creating a password policy.
Create a password policy
Click Manage password policy and specify a policy that meets your requirements:
Although we are setting up a Free Tier, our creditcard is linked to AWS. To prevent unpleasant surprises ($$$), let’s make sure we receive an email notification as soon as our creditcard bill exceeds $5. That seems like a fair amount. Go to the ‘Billing service’, scroll down, and click on ‘Enable now’ to make sure charges are being monitored by the billing service. Click ‘Receive Billing’ alerts. The AWS CloudWatch service will take care of the alarming. Save your preferences and click on ‘Manage Billing Alarms’ and then on ‘Create a billing alarm’:
Put in your email address and you will get a mail notification as soon as your billing threshold is exceeded. The final step is to confirm the email address.
Test your new account
Log out of your root account and login to the AWS Management Console using your newly created IAM user account: To test Programmatic access, we will need to install the AWS command-line tools. You can find the installation procedure at http://docs.aws.amazon.com/cli/latest/userguide/installing.html. Once installed open up a command prompt or terminal and setup the AWS CLI by entering ‘aws configure’. You will need the Access Key and Shared secret key provided when you created the user account. Then choose a region of your choosing and leave the output format at the default of None. To test the connection use ‘aws iam get-user’:
That’s it for now. We have successfully set up a Free Tier account for AWS, secured the root account and secured your wallet by providing a billing alarm. We tested both the AWS Admin Console access and the programmatic access using the AWS CLI.