
3 Things You Need to Do When Setting Up Your First AWS Account - kylegalbraith
https://dev.to/kylegalbraith/3-things-you-need-to-do-when-setting-up-your-first-aws-account-9j4
======
technion
The article says "You" so I'll put aside for a moment the situation where
there are three admins and they should all have their own account.

    
    
        Great! Now Stop Using Your Root Account
    

If you can make an unprivileged account for general use, great! Separation of
privs is an awesome thing. But if you're going to make an IAM account with
AdministratorAccess and BillingAccess as described, how is that any safer to
use than the root account? I see this a lot and I'm quite interested in the
reasoning.

I've also found that certain forms - like the Penetration Test permission
form, must be done as root. So you need to use the account occasionally even
if you don't want to.

~~~
minnusox
The root account has no restrictions whatsoever, but you as an admin IAM user
can block yourself from e.g. deleting DynamoDB tables to make accidental
deletion harder: [https://aws.amazon.com/blogs/database/preventing-
accidental-...](https://aws.amazon.com/blogs/database/preventing-accidental-
table-deletion-in-dynamodb/)

------
pmoriarty
_" Configure your billing alarm to send you an email when you cross a
threshold that is more than you can afford."_

Does AWS offer you the option to just have all your services shut down when
spending reaches a threshold?

I'd hate to get billed for something I can't afford when it could be
prevented.

~~~
philwelch
> Does AWS offer you the option to just have all your services shut down when
> spending reaches a threshold?

Not really. “Shut everything down” is a VERY dangerous switch to have; you’re
almost always better off having a billing alarm that prompts you to react in a
more considered manner. Obviously, from this perspective, AWS is targeting
“business-critical production infrastructure” a lot more than “hobbyists” as
the intended customer of AWS; the risk of unintentionally spending lots and
lots of money on AWS is also much greater for organizations that can probably
page someone to address the issue in a more fine-grained manner than just
shutting everything off.

There’s also the question of how that would even work. Do you delete all your
S3 buckets? Or do you just hold the data hostage until the customer increases
the budget enough to access it?

