DevOpsSecurityAWSIAM

Open an AWS Account Safely and Set Up a Billing Alert

K
Kai··9 min read
DevOps with AWSPart 2 of 10
PreviousWhat DevOps Is and Why You Should Learn It Alongside AWSNextEC2: Create Your First Virtual Server and Run a Web Server

In this article we'll create an AWS account and configure a few basics before touching any service. Most of the security mistakes and billing surprises beginners hit come from skipping the steps here, so we do them once and stay covered afterward.

Goals

After this article you'll have:

  1. An AWS account with MFA enabled on the root account.
  2. A dedicated IAM user for daily use (no more touching root).
  3. The AWS CLI installed and configured on your machine.
  4. An AWS Budget that emails you when costs exceed a threshold.

This article uses free services (IAM, Budgets), so it incurs no cost and there's nothing to clean up.

Step 1: Sign up for an account

Go to aws.amazon.com and choose Create an AWS Account. Signing up requires:

  • An email address you've never used to register an AWS account. This email becomes the root account — the account with the highest level of access.
  • A Visa/Mastercard. AWS places a small hold (about 1 USD) to verify, then refunds it. Even on the Free Tier, this step is required.
  • A phone number for verification via SMS or call.

During sign-up, you'll choose an account plan. This is an important change for accounts created from 2025-07-15:

  • Free account plan: no real charges, uses the 100 USD of granted credit to explore services. This plan ends after 6 months or when the credit runs out, whichever comes first. It also blocks some services that burn credit quickly. A good fit for learning.
  • Paid account plan: pay-as-you-go once you exceed the credit; used for systems running for real.

For learning along with this series, choose the Free account plan. If asked about a Support Plan, choose Basic support - Free.

A note on the Free Tier model: accounts created after 2025-07-15 use the credit model (100 USD granted + up to 100 USD earned through exploration activities like EC2, RDS, Budgets — 20 USD per service). Accounts created before 2025-07-15 use the old model: many services free for the first 12 months (e.g. 750 hours of EC2 t2.micro per month). The series is written for the new model; if your account is the old type, the cost sections in later articles are even easier on you.

Once you're signed up, you log in for the first time with the email and password you just created. This is logging in as the root account.

Step 2: Understand the root account and why you shouldn't use it

The root account is the one tied to your sign-up email. It has full access, including actions no other account can do, such as closing the account or changing the support plan. Because it's so powerful, if root leaks, someone else controls everything, including billing.

AWS's principle: use root as little as possible. Once you've finished setup, you'll almost never need to log in as root. Day-to-day work goes through an IAM user, which we create in Step 4.

First, protect root.

Step 3: Enable MFA on the root account

MFA (Multi-Factor Authentication) is a second layer of authentication: besides the password, each login requires a 6-digit code generated by an app on your phone. With MFA, even if your password leaks, someone else still can't log in.

Install a code-generating app on your phone first, for example Google Authenticator, Microsoft Authenticator, or Authy.

Steps to enable MFA:

  1. While logged in as root, click your account name in the top right and choose Security credentials.
  2. Under Multi-factor authentication (MFA), choose Assign MFA device.
  3. Pick the Authenticator app type.
  4. The screen shows a QR code. Open the app on your phone and scan it.
  5. The app starts generating 6-digit codes that change every 30 seconds. Enter two consecutive codes into the form and confirm.

From now on, each root login needs a code from this app. Don't delete the account in the app, and if you switch phones remember to move it to the new one.

Step 4: Create an IAM user for daily use

IAM (Identity and Access Management) is the service for managing users and permissions in an AWS account. Instead of using root, we create a dedicated IAM user for ourselves.

Note: AWS now recommends IAM Identity Center for environments with many people and many accounts. For learning solo, a single IAM user is much simpler, so the series uses that approach. When you work on larger systems on the job, you'll run into Identity Center again.

Steps:

  1. In the top search bar, type IAM and open the IAM service.
  2. In the left menu choose Users, then Create user.
  3. Give it a name, for example admin-cli. Tick Provide user access to the AWS Management Console if you want this user to be able to log in to the web UI (worth ticking, for use in later articles). Choose I want to create an IAM user.
  4. Set a password for the user.
  5. At the Set permissions step, choose Attach policies directly, then find and tick AdministratorAccess.

On permissions: AdministratorAccess gives this user almost full access (except a few root-only actions). For learning solo that's acceptable. In a real system, we grant the minimum sufficient permissions (least privilege) instead of admin for everyone — we'll come back to this in later articles.

  1. Click create. AWS gives you a dedicated sign-in link for the IAM user, of the form https://<account-id>.signin.aws.amazon.com/console. Save this link.

After creating it, enable MFA on this IAM user too following the exact steps in Step 3 (open the user you just created, the Security credentials tab, Assign MFA device). This user is the account you'll use daily, so it needs MFA as well.

From now on, log out of root and log back in as the IAM user via the link you saved. Only go back to root when you truly need to.

Step 5: Create an access key and install the AWS CLI

The AWS CLI is a command-line tool for controlling AWS from the terminal, instead of clicking through the UI. From Article 2 onward we use it a lot. For the CLI to call AWS on your behalf, it needs an access key pair (an Access Key ID and a Secret Access Key).

Create an access key:

  1. Logged in as the IAM user, go to IAM > Users and select the admin-cli user.
  2. On the Security credentials tab, under Access keys, choose Create access key.
  3. Choose the Command Line Interface (CLI) use case, tick the confirmation, and click create.
  4. The screen shows an Access key ID and a Secret access key. The secret is shown exactly once. Copy both, or click Download .csv file to save them.

Treat the access key like a password: don't commit it to Git, don't paste it into chats or public screenshots. If it does leak, come here and delete that key (Deactivate then Delete) and create a new one.

Install the AWS CLI for your OS:

# macOS (using Homebrew)
brew install awscli

# Windows: download the MSI installer at
# https://awscli.amazonaws.com/AWSCLIV2.msi

# Linux (x86_64)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

Check that it installed:

aws --version

The command above prints the version, for example aws-cli/2.x.x. If it says "command not found", the CLI isn't installed or isn't on your PATH.

Configure the CLI with the access key you just created:

aws configure

This command asks for four things in turn:

AWS Access Key ID [None]: <paste Access Key ID>
AWS Secret Access Key [None]: <paste Secret Access Key>
Default region name [None]: ap-southeast-1
Default output format [None]: json

The ap-southeast-1 region is Singapore, the closest to Vietnam, so latency is low. You can pick a different region, but you should use one region consistently across the whole series to avoid losing track of resources.

Check the CLI is connected to the right account:

aws sts get-caller-identity

This returns Account, UserId, and Arn. If the Arn contains user/admin-cli, the CLI is using the right IAM user. If you get an authentication error, run aws configure again and check you pasted the keys correctly.

Step 6: Set up a billing alert with AWS Budgets

This is the most important step of the article. AWS Budgets lets you set a cost threshold and emails you when actual (or forecasted) cost hits it. Budgets itself is free for your first two budgets.

By default, viewing billing information is root-only. If you also want the IAM user to see it, log in as root once, go to Account > IAM User and Role Access to Billing Information, and turn on Activate IAM Access. This step isn't required for the lesson, but it's handy later.

Create a budget:

  1. Find and open the Billing and Cost Management service, in the left menu choose Budgets, then Create budget.
  2. Choose the Monthly cost budget template (or Customize if you want to tune it).
  3. Set the threshold amount, for example 5 USD per month. For a learner, exceeding 5 USD means something is running that you didn't expect and needs checking right away.
  4. Enter the email to receive alerts.
  5. Click create.

By default, this kind of budget alerts when the forecasted cost for the month exceeds the threshold and when actual cost hits percentage milestones. If you get an alert email, log in and immediately check which resource is running.

The budget is based on cost data, so it has a few hours of lag — it's not instant. It's a safety net to catch sustained mistakes, not a real-time spend blocker. The habit of cleaning up after each article (from Article 2) is the main line of defense.

Recheck before moving on

Run through the checklist quickly:

  • [ ] Root has MFA enabled.
  • [ ] Created a dedicated IAM user (admin-cli) and enabled MFA on it too.
  • [ ] Using the IAM user to log in, not root for daily work.
  • [ ] aws sts get-caller-identity returns the right IAM user.
  • [ ] Created an AWS Budget that emails alerts.

If all five are done, the foundation is solid.

Wrap-up

We've set up a safe foundation for the account: protected root with MFA, switched to an IAM user, connected the AWS CLI from the machine, and set a cost alert. These are things you only do once but that head off most of the trouble down the road.

In Article 2 we start creating real resources: an EC2 server, SSH into it, and run a first web server. That's also the first article with a cost estimate and a cleanup section at the end.

DevOps with AWSPart 2 of 10
PreviousWhat DevOps Is and Why You Should Learn It Alongside AWSNextEC2: Create Your First Virtual Server and Run a Web Server

Related Posts

The Tetragon Way: From Observe to Enforc...
SecurityKubernetes

The Tetragon Way: From Observe to Enforce with bpf_send_signal

Tetragon is the Cilium ecosystem's runtime security tool: it observes with kprobe/tracepoint (the very hooks Part II used) and then enforces inside the kernel. Its enforcement uses two helpers — bpf_send_signal sends SIGKILL to kill a process, and bpf_override_return overrides a syscall's return value. This article rebuilds that: an exec tracepoint calls bpf_send_signal(SIGKILL) the moment a process runs — a forbidden binary gets exit 137, a normal binary still runs. No LSM, no reboot.

K
KaiMay 24, 2026· 1 views
LSM BPF: Enforcing Security Right Inside...
SecurityLinux

LSM BPF: Enforcing Security Right Inside the Kernel

So far our eBPF has only observed. LSM BPF enforces: it attaches to the kernel's security hooks (Linux Security Modules) that SELinux and AppArmor use, and a program returns 0 to allow or -EPERM to block. This article writes an LSM program that blocks opening a file, and hits a lesson: it loaded and attached but blocked nothing — because bpf wasn't an active LSM. After enabling bpf via a boot parameter and rebooting, it blocks for real — both cat and python get Operation not permitted.

K
KaiMay 24, 2026