1. Introduction

In this post, we’ll create an AWS account and configure the essential points to start using cloud services securely.

2. Problem: Email Already Used in AWS

AWS does not allow reusing an email that has already been associated with an account, even if it was closed. If you try to use the same address, you’ll get an error.

⚠️ Important
Once an email is associated with an AWS account, it cannot be reused even if the account is closed. Plan accordingly when creating your AWS account.

2.1. Solutions

SolutionDescriptionRecommendation
Different emailUse a completely different email addressSimple but requires multiple emails
Reactivate old accountContact AWS SupportBest if you had a previous account
Email aliasesUse Gmail/Outlook aliasesRecommended
πŸ“§ Email Aliases Explained

Add +alias to your email. AWS treats it as a different address, but you receive everything in the same inbox:

  • youremail+aws@gmail.com
  • youremail+test@gmail.com
  • youremail+dev@gmail.com

This works with most email providers including Gmail, Outlook, and others.

3. Creating AWS Account

3.1. Prerequisites

RequirementDescription
Valid EmailEmail address not previously used with AWS
Phone NumberFor account verification
Credit CardRequired even for Free Tier usage
Valid AddressBilling and contact information

3.2. Account Creation Steps

πŸ“‹ Step-by-Step Account Creation
  1. Access the AWS account creation page
  2. Fill in the data:
    • Root user email: Main account email
    • AWS account name: Account identifier name
    • Password: Choose a strong password for the root account
    • Contact information: Name, phone, address
    • Payment method: Credit card required (even on Free Tier)
    • Support plan: Basic Support (free)
  3. Confirm and finalize registration

4. MFA for Root User

To add an extra layer of protection to your AWS root account, Amazon recommends enabling Multi-Factor Authentication (MFA). This significantly improves account security.

πŸ”’ Security Critical
Enabling MFA for your root user is mandatory for production environments. This protects against unauthorized access even if your password is compromised.

4.1. MFA Device Options

MFA TypeSecurity LevelRecommendation
Authenticator App🟒 HighRecommended
Security Key🟒 Very HighGreat for high-security needs
Hardware TOTP Token🟒 HighGood but less convenient
πŸ“± Recommended Authenticator Apps
  • Google Authenticator (Free, widely supported)
  • Microsoft Authenticator (Free, cloud backup)
  • Authy (Free, multi-device sync)
  • 1Password (Paid, integrated password manager)

5. Admin User

After setting up MFA for the root user, create an Admin user. The root user should only be used in critical situations it’s recommended to use an IAM user with administrative permissions for day-to-day account management.

πŸ‘‘ Root User Best Practice
Never use the root user for daily operations. Create an admin user instead and reserve root access only for critical account-level tasks.

5.1. Creating the Admin User

In IAM, click “Create user” to start.

πŸ” When to Use Root vs Admin User

Root User Only For:

  • Changing account settings
  • Closing your AWS account
  • Restoring IAM user permissions
  • Changing AWS support plan

Admin User For:

  • Daily AWS operations
  • Creating resources
  • Managing services
  • Everything else

5.1. User Details

  • Username: Define a name for the user
  • Console access: Select “Provide user access to the AWS Management Console”
  • User type: Choose “I want to create an IAM user”
  • Console password: Choose “Custom password” and disable “Users must create a new password at next sign-in”

5.2. User Permissions

Configure permissions for the admin user:

  • Select “Attach policies directly”
  • Add the AdministratorAccess policy: “Provides full access to AWS services and resources”
πŸ” Security Best Practice
For other users or teams, follow the Least Privilege Principle and assign more granular permissions. Only the admin user should have full access.
πŸ“‹ Common IAM Policies for Different Roles
RolePolicyUse Case
DeveloperPowerUserAccessMost services except IAM
Read-OnlyReadOnlyAccessAuditing and monitoring
BillingBillingCost management only
EC2 AdminAmazonEC2FullAccessEC2 instances management

5.3. Review and Create

Review the user details and permissions summary, then click “Create user”. Your admin user is now ready to use!

6. Billing Alarm

A simple way to avoid billing surprises is to create a billing alarm. An alert that notifies you when account costs reach a predefined threshold.

πŸ’Έ Cost Control Critical
Setting up billing alarms is essential to prevent unexpected charges. AWS costs can accumulate quickly if resources are left running accidentally.

6.1. Enabling Billing Alerts

πŸ“Š Step-by-Step Billing Alert Setup
  1. Access: Billing and Cost Management
  2. Navigate to: Billing preferences > Alert preferences
  3. Enable:
    • βœ… CloudWatch billing alerts
    • βœ… AWS Free Tier Alerts
Account TypeSuggested ThresholdPurpose
Learning/Testing$5-10Prevent accidental charges
Small Projects$25-50Early warning for growth
ProductionBased on budgetPercentage of monthly budget

This activates billing alerts via AWS CloudWatch.

6.3. Creating the CloudWatch Alarm

βš™οΈ CloudWatch Alarm Configuration Steps
  1. Access CloudWatch and go to Alarms > Create Alarm
  1. Select metric: Billing > TotalEstimatedCharge
  1. Configure alarm actions:
    • Set threshold value (e.g., $5)
    • Create SNS topic for notifications
    • Add your email as subscriber
  1. Add name and description for the alarm
  1. Confirm email subscription to receive alerts
πŸ“§ Email Confirmation Required
Don’t forget to confirm your email subscription to SNS, or you won’t receive the billing alerts!

7. Billing Access for Admin User

When accessing Billing and Cost Management with the admin user, you may encounter “Access denied” messages.

🚫 Common Issue
By default, only the root user can access billing information. You need to explicitly enable this for IAM users.

7.1. Enabling Billing Access

πŸ”“ Step-by-Step Billing Access Configuration
  1. Login as Root user
  2. Go to: Billing and Cost Management > Account
  3. Enable: “IAM user/role access to billing information”
πŸ’‘ What This Enables
This grants admin users permission to access Cost Explorer, billing information, and cost management tools.

8. MFA for Admin User

Now that you can access the account with the Admin user, add MFA for this user as well. The process is the same as we did for the Root user.

πŸ” Double Security
Enabling MFA for your admin user provides an additional security layer for daily operations. Use the same authenticator app for convenience.
πŸ“± MFA Setup Tips
  • Use the same authenticator app as your root user
  • Label the account clearly (e.g., “AWS - Admin User”)
  • Back up your MFA codes securely
  • Test the MFA before logging out

9. Conclusion

Your AWS account is now configured with initial security best practices:

βœ… Security Checklist Completed
  • πŸ” MFA enabled for root user - Protects against unauthorized access
  • πŸ‘€ Admin user created - For daily operations with appropriate permissions
  • πŸ” MFA enabled for admin user - Secures day-to-day account access
  • πŸ’Έ Billing alarm configured - Prevents unexpected charges
  • πŸ“Š Billing access enabled - Admin user can monitor costs
πŸš€ Ready to Go!
Your AWS account is now secure and ready for production use. Remember to follow the principle of least privilege when adding new users.

10. References