AWS Logo
Menu
Getting Started on AWS for Startups

Getting Started on AWS for Startups

An account setup guide for startup founders new to AWS

Shadiya Refkat
Amazon Employee
Published Dec 10, 2024
After working on my own startup for about two years, I started my journey as a Startup Solution Architect on Nov 2023. In the past year, I've had various conversations with founders about the best practices for setting up their AWS accounts for the first time. Reflecting on my own startup journey, I remember that navigating through multiple comprehensive documents and tutorials to ensure a secure yet simple initial account setup took me a long time. Like the founders I've spoken with, I wanted a startup-focused guide to streamline the process. That's why I've created this piece: to provide a step-by-step guide for startups venturing into AWS, sharing the insights and lessons I've gained along the way.
We'll begin with the steps and guidelines for setting up your AWS account, using AWS Identity Center to streamline your access management, implementing a multi-account strategy to effectively organize your resources. Then, I'll explain how to enable cost and billing management features to help you monitor and control your expenses.

Step 1 - Sign Up and Configure Your AWS Account

Sign up with a proper email address
Starting your AWS journey begins with visiting AWS console and click on “Sign up for AWS ” . A step by step screenshot guide can be found in this tutorial.
When providing Email address , please avoid using personal email address or individual work emails (like john@startup.com) as people setting up the account might change roles or leave the company. Instead use an email alias that can be managed (e.g. cloud@startup.com) . Make sure founders have access to this email and document the email credential in secure place.
  1. Secure root user immediately
    When you created an AWS account follow the steps above, a root-user will be automatically created for you, the email and password you set above are your root user’s credentials. Root user has unrestricted access to all AWS services and resources, can perform all actions, including changing the payment methods or closing the account. Securing this account is paramount because it holds the keys to your entire AWS environment. That’s why it’s highly recommended to turn on multi-factor authentication (MFA) for your root user.
  2. Restrict root user usage
    Because the root user has extensive permissions, AWS guide recommends restrict the usage of root-user only for a privileged task, such as changing account setting like email address, performing certain billing operations, signing up for AWS Gov Cloud, a full list can be found here . For all other daily management and development task, set up an additional identities for users need access to AWS and authenticate uses temporary credentials. This approach reduce the risks the risk of credentials being inadvertently disclosed, shared, or stolen.
  3. Plan your Access to AWS Account
    Following the latest AWS guide on this topic, security best practices will recommend providing access to AWS resources through identity federation (i.e. access managed with IAM Identity Center), this creates a temporary credentials for your users and workloads. We will adopt this approach to use AWS IAM Identity Center to manage access to AWS account in next step. But if you are using some third party clients or workloads that don't support IAM Identity Center, you need to create an IAM user that uses long-term credential. Another use case for long-term credentials is create an IAM user for emergency access .

Step 2 - Give Co-founders Access to AWS Account

Let’s continue from the previous step, where we decided to use AWS IAM Identity Center to manage access to AWS accounts and resources. AWS IAM Identity Center provides centralized access management, allowing human users, such as cofounders and engineers, to obtain temporary credentials for accessing AWS. You can either integrate an existing identity provider to sync users and groups or create and manage users directly within IAM Identity Center. For most startups without an external identity source, the default Identity Center Directory (automatically configured when you enable IAM Identity Center) is sufficient.
  1. Enable IAM Identity Center
    To enable IAM Identity Center, log in to the AWS Management Console using the previously created Root User (email and password). Follow this step-by-step guide to enable IAM Identity Center using AWS Console, ensuring you select the option to enable it with AWS Organizations. This setup will support a multi-account strategy, which we will work on in Step 3.
  2. Give Admin Access To Founders
    Once Identity Center is enabled, a default identity Center directory is created. Next, add your cofounders as users in the IAM Identity Center, enabling them to log in via the AWS access portal. Follow the steps in this tutorial, which include 1. Adding a user, 2. Creating a group( e.g. Admin Group ), 3. Adding the user to the group, 4. configuring the permission for the group, 5. testing user access. Repeat step 1 and step 3 to all cofounders, adding them to Admin group. Now each user will receive an access portal URL in their invitation email for sign-in, where they can use to access AWS console.
  3. Configure AWS CLI for programmatic access
    You can either use temporary credentials or long-term credentials to sign programmatic requests to AWS CLI, AWS SDKs or AWS APIs. AWS guide recommends use short-term access keys when possible to make programmatic calls, you can reference this guideline for detail. A step-by-step in this tutorial guide you to configure AWS CLI with IAM Identity Center. For me personally, using aws configure sso wizard provided in the tutorial to configure the access was the easiest approach.

Step 3 - Plan Your Multi-Account Strategy

A multi-account strategy involves using separate AWS accounts to manage different workloads, environments, or teams. For early-stage startups, this approach is particularly useful for creating dedicated accounts for development, staging, and production environments. This separation ensures that issues in development or staging don’t accidentally impact your production environment, safeguarding critical operations. It also enhances security by isolating access and resources, reduces the risk of misconfigurations, and allows for tailored permissions and policies for each environment.. With AWS Organizations, you can maintain centralized control while empowering your team to build, test, and deploy efficiently, setting a strong foundation for growth.
If you enabled IAM Identity Center with the AWS Organizations option in the previous step, you should see an organization already created in the AWS Organizations section of the console. If not, you can create one using this tutorial. The account that created the Organization is the management account, is the ultimate owner of the organization, have final control over security, infrastructure and finance policy and acts as a payer account, responsible for all charges incurred by the organization's child accounts. You should limit who has access to management account and avoid deploying workload to the management account. For more details, refer to best practices here.
  1. Design your AWS Organization Units
    For an early-stage startup, I'd begin with a minimal, yet flexible, organizational structure that supports both immediate security needs and future scalability. For example, separate the current root organizations into a small set of foundational Organizational Units (OUs), such as:
    • Workloads OU for environment-specific application accounts :
      • Dev : For development and building new features.
      • Staging : To test and validate changes before production.
      • Production: For hosting live customer-facing applications or critical workloads
    • Sandbox OU for for experimentation, testing, and learning AWS without affecting critical environments. You can have per dev team along with cloud spend budgets to ensure their AWS spending align with your policies.
  2. Create/Invite member accounts to the Organization
    Now that you have an organization, you can begin to populate it with accounts, you can follow this step-by-step guide that show you how to create/invite member account to the organization using AWS console. When just get-started as small team, I'd start with creating a Workload OU with dev account and Sandbox OU with test account.
  3. Create the service control policies
    Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. For example, you can apply SCPs to restrict access to sensitive actions in production, like deleting resources or disabling logging. For sandbox accounts, enforce cost control by limiting resource creation to budget-friendly options and restricting access to high-cost regions. These policies ensure secure and cost-efficient operations while reducing risks. Step 3 of this guide walks you through the process of creating SCP and attach the to the Organization Units using console.
  4. Give your team access to workloads/sandbox accounts
    Now that the multi-account is created in AWS organizations, we can use IAM Identity center to grant your team access to these new accounts. In Step2 we created administrative user for the founders. Now, we will create additional, more restricted permission for rest of the developer team. You can use the pre defined permission sets based on job functions, follow this step here for create a permission set. Next, create groups and assign AWS account access directly to the groups rather than to individual user. Follow this tutorial here for instruction to assigning group access to multi-accounts. Finally create users like you did in step 2 for each of the member of your developer team and add them to the appropriate groups.

Step 4 - Set Up Billing and Cost Management Safeguards

For early-stage startups, it’s crucial to establish cost visibility and safeguards early on to prevent unexpected expenses and maintain financial control. Tools like AWS Budgets and AWS Cost Explorer can make a significant difference. AWS Budgets allows you to set spending thresholds and receive notifications before costs exceed your predefined limits, helping you maintain financial discipline. You can start with setting up a budget using a template with recommended configuration following the steps in this tutorial . AWS Cost Explorer provides detailed insights and visualizations of your spending patterns, enabling you to identify inefficiencies and optimize resource usage. To use the Cost Explorer, you need to first enable it from the AWS cost Management console.

What's Next ?

With the initial setup complete, you’re ready to start building your product. Here are a couple more resources that you mind find helpful :
I’m also planning a few more startup-focused follow-ups, so let me know in the comments if there’s something specific you’d like covered. Right now, I’m considering following contents :
  • AWS GenAI sample code for early-stage AI startups
  • Getting started with Infrastructure as Code
  • Setting up a CI/CD pipeline with GitHub Actions
This wraps up our post on best practices for startups getting started with AWS. If there are specific topics you’d like to discuss further as an early-stage startup building on AWS, please let me know in the comments , or ping me on LinkedIn .
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments