Step 3) Create AWS Management Account

- Email Address to use for Root User in Management Account
Estimated Time: 2 to 10 minutes
Estimated Cost: none
Perform this step on the Management Workstation.
AWS Background

Understanding AWS IAM best practices is important. If you haven't already reviewed AWS documentation on IAM, please visit this link: Security best practices in IAM.

Configuration Steps
  1. Sign up for an AWS account using your email address - this will become your AWS "Management" account. Name this account "OrgMgmt" - replacing "Org" with your OrgCode.

    Make a note of the email address and password used to create the account. You will need this to login as the Account's "root" user.

    Important: If you already have an AWS Account associated with your email, you will need to create an email alias to create another AWS account. You can't use the same email address with more than one AWS Account.

  2. Go to your email and use the email AWS sent you to confirm your email Address.

  3. Sign into your AWS Management Console as Root user. The AWS Management Console appears.

  4. Create OrgMgmt IAM User and generate a OrgMgmt_credentials.csv file
    1. In the AWS Services section, find and select "IAM". The IAM dashboard appears.
    2. In left-hand navigation bar, select Users. The user list appears. As this is a new Account, there are no IAM users.
    3. Click the Add user button. The Add user (step 1) page appears.
    4. Enter "OrgMgmt" in the User name field. Replace "Org" with your OrgCode.
    5. Check the Programmatic access checkbox.
    6. Check the AWS Management Console access checkbox. The Console password and Require password reset options appear.
    7. Select the Custom password radio button. Enter a custom password.
    8. Uncheck the Require password reset checkbox.
    9. Click the Next:Permissions button. The Add user (step 2) page appears.
    10. Click the Create group button. The Create group dialog appears.
    11. Enter "Administrators" in the Group name field
    12. Click the checkbox for the Policy named AdministratorAccess.
    13. Click the Create group button. The dialog closes.
    14. Click the Next: Tags button. The Add user (step 3) page appears.
    15. Click the Next: Review button. The Add user (step 4) page appears.
    16. Click the Create user button. The Add user (step 5) page appears.
    17. Click the Download .csv button.
    18. Rename the "new_user_credentials.csv" file to "OrgMgmt_credentials.csv". Replace "Org" with your OrgCode.
    19. Move the file to the LazyStackSettings folder.
    20. Click the Close button. The IAM console appears.

  5. Sign out of your AWS Management Account.

  6. Install AWS CLI

  7. Create OrgMgmt AWS CLI Profile
    1. Open PowerShell terminal
    2. CD into the LazyStackSettings folder.
    3. Issue the following command: (replacing "Org" with your OrgCode)
      aws configure import --csv file://OrgMgmt_credentials.csv
      This creates the OrgMgmt profile.
    4. Issue the following command: (replacing "Org" with your OrgCode, and editing the region if necessary)
      aws configure set region us-east-1 --profile OrgMgmt
    5. Issue the following command: (replacing "Org" with your OrgCode)":
      aws configure list --profile OrgMgmt
      Example Output with an OrgCode of "Az":
             Name                    Value             Type    Location
             ----                    -----             ----    --------
          profile                   AzMgmt          manual    --profile
      access_key     ****************KZ6S shared-credentials-file
      secret_key     ****************8b3b shared-credentials-file
          region                us-east-1      config-file    ~/.aws/config                        

  8. Secure your Root User Account Credentials.
    You will not be using the Root User credentials often. Store them securely where you can find them when you need them. Never share these credentials with third-parties like vendors or consultants. Somebody with your Root User security credentials can do anything in your account. Note that you should not use your root credentials for deployment or operations. LazyStack creates CLI Access Profiles on your management workstation that are used for these purposes.

  9. Install AWS SAM CLI - Only install Docker if you know you need it. It is not required to use LazyStack local debugging.
Step Summary

In this step we created a new AWS Management Account, added an IAM User "OrgMgmt" with AdministratorAccess, Installed the AWS CLI on our workstation and configured a AWS CLI profile for the the IAM User "OrgMgmt". Now we can perform most administrative tasks on the Management Account using the AWS CLI.