Setting Up Your AWS Account Like a Pro

Marcus opened his AWS account on a Tuesday morning. By Wednesday night, someone in Romania was running a Bitcoin miner on his credit card, racking up $4,800 in EC2 charges before he caught it. He had logged in once as the root user, copied an access key to a side project on GitHub, and forgotten about it.

This chapter is the one most courses skip — the boring setup stuff — because skipping it is exactly how stories like Marcus's happen.

The Root User Is Not Your Daily Driver

When you sign up for AWS, you become the root user — the account holder with unlimited power. You can delete every resource, close the account, and change the billing address. There is no undo button.

Treat the root user the way you would treat a master key to a building you own:

• Use it only to set up the account on day one;
• Lock it away with MFA the moment you finish setup;
• Never generate an access key from it. Ever. Every other action — yours and your team's — should go through an IAM user or a federated identity. We will cover those in chapter 8.

Multi-Factor Authentication Is Non-Negotiable

Within the first ten minutes of your new account, enable MFA on the root user. AWS supports:

• Virtual MFA apps like Authy or Google Authenticator;
• Hardware security keys (YubiKey is the common choice);
• SMS — technically supported, but skip it. SIM swaps are real. Once MFA is on, the root user is dramatically harder to compromise even if someone steals the password.

Billing Alerts Save Careers

AWS bills monthly. By the time the invoice arrives, the damage is done. Set up two safety nets on day one:

• A CloudWatch billing alarm that emails you when monthly charges cross a low threshold like $20;
• AWS Budgets with a hard daily forecast — so a runaway Lambda does not quietly spend $300 overnight. Marcus did not have either. Both take about five minutes to configure.

Organizations and Multiple Accounts

For anything beyond a personal sandbox, the modern pattern is multiple AWS accounts managed through AWS Organizations:

• One account for production;
• One for staging;
• One per developer or team for experimentation;
• A central billing account that pays for them all. This isolation means a misconfigured S3 bucket in staging cannot expose production data, and a runaway dev experiment cannot take down customer workloads. Organizations also gives you Service Control Policies (SCPs) — guardrails that apply across every account at once.

Region and Default VPC

Pick a default region close to your users — us-east-1 (N. Virginia) is common but not automatic. Every new account ships with a default VPC in each region, which is fine for learning but worth replacing in production. We will dig into regions in the next chapter.

What Good Looks Like

A healthy AWS account, on day one, has:

• Root user with MFA enabled and no access keys;
• At least one IAM user or federated identity for day-to-day work;
• A CloudWatch billing alarm at a low threshold;
• An AWS Budget with email notifications;
• A clear answer to "what region do my resources live in". Get those five right, and you have already done more than 80% of AWS accounts.