How to create a clean AWS account for handover

This documents the manual steps required to set up a clean [[AWS]] account for a new product or project. It requires a credit card and assumes that no existing [[AWS Organizations|AWS Organization]] exists. The steps also assume that someone else other than the account owner will be performing the initial account setup, so what's documented here is limited to the steps that can only be performed by the root user. *(These steps are a pre-requisite for the [Serverless Launchpad service](https://serverlessfirst.com/services/launchpad/.))* ## Create AWS Account Go [here](https://portal.aws.amazon.com/billing/signup#/start) to start the new account registration. Decide on the name of your account using the application name and append `-root` to it, e.g. `myapp-root`. Use a naming convention for your email address alias that you use to register the account with, e.g `[email protected]`. **It's important that this address is unique to your product as you cannot use the same root email address to open multiple AWS accounts.** ## Update billing settings Complete the following steps in the AWS Console while logged into the root account as the root user. 1. Enable Billing Alerts by completing Step 1 [here](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/gs_monitor_estimated_charges_with_cloudwatch.html#gs_turning_on_billing_metrics) 2. Enable access to the Billing and Cost Management console by following these steps: - Open [My Account](https://console.aws.amazon.com/billing/home#/account) - Next to **IAM User and Role Access to Billing Information**, choose **Edit**. - Select the **Activate IAM Access** check box to activate access to the Billing and Cost Management console pages. - Choose **Update**. ## Create AWS Organization - Go to [AWS Organizations Console](https://console.aws.amazon.com/organizations/v2/home?#) as root user - Click "Create an organization". It should be auto-created. - Be sure to verify your email address ## Create IAM user for DevOps engineer These steps are required if a DevOps engineer ("paulswail" for this walk-through) is setting up your initial account configuration. If you prefer we can walk through these steps together on a video call. Follow the steps in this note: [[Create IAM user for new AWS account administrator]] Once these steps are complete, the DevOps engineer will be able to access your new account and complete the rest of your AWS multi-account setup. --- ## References The following are reference docs and not required as part of the steps listed above: - [Access to the Billing and Cost Management console](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html#ControllingAccessWebsite-Activate) - [OrgFormation Budget Alerts](https://github.com/org-formation/org-formation-cli/blob/298fcd80baecdc1b7258fb1bb33c2f8495ba75ee/examples/readme.md#budget-alarms) tags: [[Business operating procedures MOC|SOP]]