Create + Harden a New AWS Account: Complete Step-by-Step Security Guide

By Saurav Saini · 27 Feb 2026

🛡️ Create + Harden a New AWS Account: The Ultimate Security-First Guide

⚠️ CRITICAL SECURITY NOTICE
The Root User is the most powerful identity in AWS. If compromised, an attacker gains full control of your account, including billing and all resources. Enable MFA immediately and never use root for daily tasks. This guide ensures you build a fortress from day one.

📦 Phase 1: Account Creation (The Right Way)

🔹 Step 1: Navigate to AWS Sign-up

Open your browser and go to any search engine (Google, DuckDuckGo).
Search for: AWS Free Tier Account
Click the first result: "Create an AWS Account - Amazon Web Services."
Alternatively, directly visit: https://portal.aws.amazon.com/billing/signup
Click on the Create an AWS Account button (top right).

🔹 Step 2: Root User Email & Verification

Root user email address: Use a personal, secure email that you will always have access to (never a shared or temporary email).
AWS account name: Choose a recognizable name (e.g., "MyCompany-Prod" or "Personal-Learning").
Click Verify email address.
AWS sends a verification code to your inbox.
Enter the code (e.g., 452616) and click Verify.

💡 Email Security Tip

Enable MFA on the email account itself. If an attacker takes over your email, they can reset your AWS root password.

🔹 Step 3: Set Password

Create a strong, unique password for your root user.
Use a password manager to generate and store it (e.g., Bitwarden, 1Password, KeePass).
Minimum 12+ characters, mix of uppercase, lowercase, numbers, symbols.

🔹 Step 4: Choose Account Plan

Free (Basic) Plan: Includes 12 months of free tier for eligible services, plus always-free offers. Recommended for beginners.
Paid Plan: You are only charged for usage beyond free tier limits. You will still need to enter billing info.

💡 The free tier includes 750 hours/month of EC2 t2.micro, 5GB of S3 storage, and many other services. Perfect for learning.

🔹 Step 5: Contact Information

How do you plan to use AWS? Select Personal (for learning) or Business (if for work).
Who should we contact about this account? Enter your full legal name, phone number, and address.
Address line 1, Address line 2, City, State/Province/Region, Postal Code.
Agree to the AWS Customer Agreement (read it if you have time).

🔹 Step 6: Billing Information

Billing country: Select your country.
Credit/Debit card: Enter card number, expiration date, and CVV. AWS uses this to verify identity and charge for any usage beyond free tier.
Billing address: Usually auto-filled from contact info.
PAN Card (India) / Tax ID: For Indian residents, you may need to enter PAN and upload a scanned copy for compliance.

⚠️ AWS will charge a small temporary authorization (usually ₹2 or $1) to verify your card. This is reversed within a few days.

🔹 Step 7: Identity Verification (Phone)

Enter your mobile phone number.
Choose verification method: SMS or Voice call.
Click Send verification code.
You will receive a 4-6 digit code.
Enter the code and click Verify.

🔹 Step 8: Choose a Support Plan

Plan	Price	Features	Recommendation
Basic	Free	Account and billing support only, community forums.	✅ Perfect for beginners
Developer	From $29/month	Business hours email support, 1 primary contact.	❌ Not needed initially
Business	From $100/month	24/7 phone/chat, 1-hour response for urgent issues.	❌ For production workloads
Enterprise	From $15,000/month	Technical Account Manager (TAM), 15-min response.	❌ Large enterprises only

Select Basic Support (Free) and click Complete sign-up.

✅ Account Created! You will receive a confirmation email. Now, let's secure it.

🔑 Phase 2: First Login – Welcome to the Console

Go to AWS Console Login.
Select Root user (the email you registered).
Enter your root email and password.
Click Sign in. You are now inside the AWS Management Console 🎉.

⚠️ Root user is extremely powerful. It can close the account, change billing, and bypass all IAM policies. Use it only for billing and account setup, never for daily work.

🔒 Phase 3: Hardening Your AWS Account (Must-Do Steps)

🔹 Step 1: Enable Multi-Factor Authentication (MFA) for Root User

In the AWS Console, search for IAM and open the IAM Dashboard.
In the Security recommendations section, you'll see "Enable MFA for root user" – click it.
Click Manage MFA.
Choose Virtual MFA device (recommended, free).
Open Google Authenticator, Microsoft Authenticator, or Authy on your phone.
Scan the QR code displayed on screen.
Enter two consecutive MFA codes from your app.
Click Enable MFA.

💡 Hardware MFA keys (YubiKey) are even more secure but cost money. Virtual MFA is excellent for most users.

🔹 Step 2: Create an Admin IAM User (Daily Driver)

In IAM Dashboard, click Users → Add User.
Username: e.g., AdminUser or yourname-admin.
Check Provide user access to the AWS Management Console.
Select Custom password and set a strong password (or let AWS generate one).
Uncheck User must create a new password at next sign-in (optional, but for labs you can keep it simple).
Click Next: Permissions.
Select Add user to group.
Click Create group, name it Admins.
In the policy list, search and select AdministratorAccess.
Click Create group.
Select the Admins group, then click Next: Review.
Review and click Create user.
IMPORTANT: Download or copy the sign-in URL (e.g., https://your-account-id.signin.aws.amazon.com/console).

✅ Now log out of root and log in as AdminUser using the IAM users sign-in link. From now on, use this admin account for all administrative tasks. Store root credentials safely and only use for emergencies.

🔹 Step 3: Set Billing Alerts (Avoid Surprise Bills 💸)

In the AWS Console, search for Billing (or go to AWS Cost Management).
In the left menu, click Budgets.
Click Create budget.
Choose Cost budget → Set your budget.
Name: e.g., Monthly-Free-Tier-Alert.
Set amount: $10 (or ₹500).
Choose Monthly period.
In Alert settings, add your email address.
Set threshold: 80% of budgeted amount.
Click Create budget.
Also, in Billing Dashboard, go to Billing preferences and enable Receive Free Tier Usage Alerts and Receive Billing Alerts.

🔹 Step 4: Enable CloudTrail (Audit Logging)

In AWS Console, search CloudTrail.
Click Create trail.
Trail name: Management-Audit-Trail.
Check Enable for all accounts in my organization (if you have one) or just this account.
Check Enable for all regions (recommended).
Create a new S3 bucket (or use existing). Name it something like aws-cloudtrail-logs-.
Check Enable log file validation (to detect tampering).
Check Send SNS notification for every log file delivery (optional).
Click Next, review, and Create trail.

📜 CloudTrail records every API call in your account – who, what, when, from where. Essential for security investigations.

🔹 Step 5: Enable GuardDuty (Threat Detection)

In AWS Console, search GuardDuty.
Click Enable GuardDuty.
It will automatically start monitoring for suspicious activity (e.g., crypto mining, unusual API calls).
You can view findings in the GuardDuty dashboard. (No further configuration needed for basic use).

🔹 Step 6: Secure S3 by Default

Go to S3 Dashboard.
Click on Block Public Access settings for this account (in the left menu).
Click Edit.
Check all four boxes to Block all public access.
Click Save changes.
Also, go to Properties of any bucket you create, under Default Encryption, enable SSE-S3 or SSE-KMS.

🔹 Step 7: Enable Cost Explorer & Free Tier Alerts

In Billing Console, click Cost Explorer → Enable Cost Explorer (takes 24h to show data).
Enable Free Tier Usage Alerts in Billing preferences to get emails when you approach free tier limits.

✅ Your AWS account is now hardened! You have MFA on root, an admin IAM user, billing alerts, CloudTrail, GuardDuty, and S3 public access blocked.

🚀 Phase 4: Try Your First AWS Service

Create an S3 Bucket and upload a file: Search S3 → Create bucket → Name it (globally unique) → Upload a test file.
Launch a Free Tier EC2 instance: Search EC2 → Launch instance → Choose Amazon Linux 2 (free tier eligible) → Create key pair → Launch → Connect via SSH.
Create an IAM Role for EC2: IAM → Roles → Create role → EC2 → Attach policy (e.g., S3 read) → Assign to EC2.

📋 Hardened AWS Account Checklist

Task	Status	Why
Root MFA enabled	✅	Prevents account takeover
Admin IAM User created	✅	Don't use root daily
Billing Alerts set	✅	Avoid surprise bills
CloudTrail enabled	✅	Audit all API calls
GuardDuty enabled	✅	Threat detection
S3 Block Public Access ON	✅	Prevent data leaks
Cost Explorer enabled	⏳ (24h)	Track spending

🗓️ First 7 Days AWS Learning Roadmap (Free Tier Safe)

Day	Task	Service	What You'll Learn
Day 1	Create Account + Hardening	IAM, CloudTrail, GuardDuty	Security foundations
Day 2	S3 Storage	Upload files, set permissions, enable encryption, test block public access	Data security, permissions
Day 3	Launch EC2 Free Tier	EC2 (t2.micro), SSH, install Apache/NGINX	Basic compute, remote access
Day 4	Create IAM Roles	IAM roles, attach to EC2	Least privilege, access management
Day 5	Lambda Function	Create simple Python "Hello World" function	Serverless basics
Day 6	RDS Free Tier	Launch MySQL/Postgres instance, connect from EC2	Managed databases
Day 7	VPC Setup	Create custom VPC, public/private subnets, security groups	Networking fundamentals

💡 All tasks above are within AWS Free Tier limits if you follow the standard configurations and clean up resources after learning.

🧹 Resource Cleanup (Avoid Ongoing Costs)

Terminate EC2 instances (especially if not free tier).
Delete S3 buckets with non-free tier storage.
Delete RDS instances (create a snapshot first if needed).
Check Billing Dashboard regularly.

📌 Final Words

Congratulations! You have not only created an AWS account but also secured it to industry best practices. This foundation is exactly how enterprises start their cloud journey. Keep learning, keep everything secure, and always follow the principle of least privilege.

💡 Next Steps: Follow the 7-day roadmap, then consider certifications like AWS Certified Cloud Practitioner or Solutions Architect.