AWS Quickstart Guide
Welcome to AWS via Crayon. The following covers the minimum you need to know to effectively get started using your AWS Management Account.
Change the passphrase
Reach out to your local Crayon representative if you did not receive credentials.
Sign in to the AWS Console using the sign-in URL, username and one-time passphrase that you have been provided.
The first time you sign in, you must create a new passphrase.
Create a strong passphrase and safeguard it against unauthorized access.
Tip
A strong passphrase is one that is not easily guessed by a human or a machine.
Substantial length (14+ characters) and the inclusion of different types of characters such as numbers, lower case letters, upper case letters and symbols are signs of a strong passphrase.
Achieving a good length and inclusion of variety for a memorable passphrase is most easily done by something like a regular sentence.
It can be a random selection of words, a saying, or a quote, as long as it can't be easily guessed by someone who knows you well.
Activate MFA
Once the passphrase has been changed, you must activate MFA. Most permissions will be denied until MFA is active.
- Go to Security Credentials.
- Assign MFA-device.
- Follow the instructions for assigning the MFA device of your choice. Once this has been completed, sign out of the account, and back in again.
Screenshot: Security Credentials
Screenshot: Assign MFA-device
Important
Remember to sign out of the account and back in again to gain permissions.
Create IAM-users/roles
Tip
If you don't need another user right now, you can jump to creating a new AWS workload account.
The initial IAM-user provided with a new AWS Management Account from Crayon is configured with a permissions boundary.
This boundary helps protect:
- Crayon billing integration
- Crayon billing configuration
- Crayon billing information
- Crayon agent access roles
The boundary allows permissions management but introduces a requirement when creating new IAM-users/roles.
How to create an IAM-user with the correct permissions boundary
New IAM-users/roles must be created with the same permissions boundary configured during creation.
- Navigate to users in the IAM Console.
- Click Add Users.
- Enter the name of the IAM-user.
- Use a personal email address for the username.
An email address is not required, but helpful in case someone needs to contact the user.
Making it personal helps avoid secrets-sharing and diffusion of responsibility.
Feel free to create obfuscated personal email addresses for your users to help protect private information.
- Use a personal email address for the username.
- Configure the initial access method.
- Leave programmatic access unselected (the user can create an access key later).
- Select AWS Management Console access.
- Select autogenerated password.
- Require that the user must create a new password at next sign-in.
- Configure permissions and boundary.
- Complete the process.
Screenshot: Add users
Screenshot: Add users (name and initial access method)
Screenshot: Add users (configure permissions and boundary)
Important
Make sure that you do exactly what is shown on the above screenshot (configure permissions and boundary). If CrayonBoundary is not configured properly, the user creation will fail with an access denied error.
Create/Invite accounts
AWS Best Practice
"Use the management account only for tasks that require the management account"
Read more
Another way to say this is; host workloads in workload accounts.
Workload accounts are sometimes referred to as member accounts, linked accounts, child accounts or sub accounts. These terms all refer to the same kind of AWS account - one that is joined to an AWS Organization and that is suitable for hosting workloads.
The important thing to note is that they are distinguished from a management account, which on the other hand serves a unique purpose in an AWS Organization. A management account should be reserved for billing, account management and governance.
You can create new, or add existing accounts in AWS Organizations.
Create a new AWS workload account
Tip
If you want to invite an AWS account instead, see below.
- Go to Organization.
- Click "Add an AWS account".
- Select create.
- Provide a suitable name for the new AWS account.
- Provide a valid email address that you control and that is not already used in AWS.
- (Optional) Change the administrative role name (default: OrganizationAccountAccessRole).
- (Optional) Configure tags.
Tip
See below for related screenshots.
Invite an existing AWS account
Tip
The existing AWS account must be a standalone account for it to be able to accept an invitation.
A standalone AWS account is one that is neither a management account nor joined to an AWS Organization.
- Go to Organization.
- Click "Add an AWS account".
- Select invite.
- Provide a 12-digit AWS account ID or the AWS account email address (root username) for the account you wish to invite.
- (Optional) Provide a custom message.