I often read or hear about people starting their AWS journey by setting up new AWS account and getting themselves into trouble when someone breaks in and runs up a huge bills.

With that in mind I thought I would write a CloudFormation template with the services I recommend in a base setup and also describe some of the things I setup.

Root MFA

Once you’ve signed up with your “Root” user, setup MFA:

https://console.aws.amazon.com/iam/home?region=us-east-1#/security_credentials

IAM User

Now go and setup an IAM user:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

https://console.aws.amazon.com/iamv2/home?#/users

And of course make sure you setup MFA again on the IAM user.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html

From now on, make sure you use your IAM users with MFA. There are more complex setups (using roles and policies enforcing MFA, but I’ll leave that as an exercise for the reader as it’s an advanced topic).

Free Tier Alerts

Last thing that you can’t easily do with CloudFormation, is to setup Free Tier alerts:

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/tracking-free-tier-usage.html

https://console.aws.amazon.com/billing/home?#/preferences

All the good stuff

Finally deploy this CloudFormation template which will setup the following services:

• CloudTrail (All Regions)
• CloudTrail Bucket (With 90 Day deletion lifecycle policy)
• Budgets
• Cost Anomaly Detection
• Billing Alert
• Root Activity Alert

Make sure you deploy this in us-east-1!

Note, this is a really simple setup to get you going and provide some level of protection. It may not work for every scenario and I recommend, you spend some time understanding what it is doing and modifying it as you see fit.

Hopefully this saves some people from having their AWS accounts compromised and provides a safer environment for everyone getting started in AWS.