For increased security and isolation of concerns, I decided to setup a subaccount on AWS to manage projects like my personal blog. This way, the primary account could focus on just managing billing, with no other responsibilities. Under the secondary account (the subaccount) I also created an administrative user to log in as, instead of always using the root user for the subaccount. This is recommended per AWS best practices, because revoking access to a root account can be tricky.
First, I had to setup consolidated billing on my primary account. To do this:
- I went to
My Accountin AWS and under
Consolidated billingI clicked
- on the AWS Organizations page I was brought to I clicked
Add account, then
- entered my desired AWS account name and email (I left IAM role name blank for
now), and clicked
AWS gave me an error when I tried to click
Create, saying "You cannot add
accounts to your organization while it is initializing. Try again later".
So in the meantime I went to my email and verified my email address through the
email I received from AWS.
After waiting for about 5 minutes,
Create finally worked; after another few
minutes, I received an email from AWS informing me my new account was created.
I then went to sign in to AWS, opting to sign in as a
Root user. I entered the
email I chose when creating the new account, clicked
Next, then clicked
Forgot password?. This was necessary because AWS autogenerates an
unrecoverable password for the root user when the account is created. I asked
for a password reset to be sent, then when the email arrived I followed the
instructions to reset the password.
After completing the password reset, I was able to login with the email of the
new account and the new password. From there, I went to
My Security Credentials where I chose
Activate MFA with a
Virtual MFA device,
From there, I went to IAM to setup an admin user that I could use for day-to-day
operations (per AWS best practices). I created a new user with the user name
molly and enabled
Programmatic access and
AWS Management Console access.
Permissions page, I did the following:
Add user to group.
- Selected the check box for the
Next: Tags. Then, I chose
Create user. I added the
Access key ID,
Secret access key, and account ID to my password manager.
I then logged out from AWS, and logged in as this newly created administrative user instead. From here, I could use AWS as normal.
I also configured AWS CLI for command line access to AWS:
$ aws configure AWS Access Key ID [None]: *************EXAMPLE AWS Secret Access Key [None]: ******************************EXAMPLEKEY Default region name [None]: us-east-2 Default output format [None]: json