Setting up a new AWS account from scratch
As everything on my blog, this is for my future brain and you just happen to be here.
What I don't love about the below is the number of manual steps to get this all working. But I'm reminded that if I wanted to manage all my own infrastructure, services, etc I would spend a bunch of time doing that instead of building features in applications. What's the correct way? I suppose that is a business decision and one of personal preference.
Setup Organizations
Do the normal account creation steps, enter your billing information, blah blah blah. Secure the root account with MFA. Setup AWS Organizations and make sure to use "Full settings" or whatever they call it, the thing that isn't just Consolidated Billing.
Root Access Management
It is a really good idea to centrally manage the root account credentials. The AWS docs are easy enough to follow.
Control Tower
You might not need or want Control Tower. If you don't want to use CT, an alternative (which I've never used) is org-formation.
From Organizations > Services, find AWS Control Tower, follow the prompts and click "Setup Landing Zone". Note that, until this point, we haven't incurred any cost. now you do! CT doesn't cost anything itself but it does use cloud resources that do cost something. If you are truly starting from nothing it will probably be ~$0.023. Welcome to cloud, it starts small...
When going though the Control Tower setup, you will want to only select regions that you are going to actually put resources in. I'm not exactly sure the implication on Identity Center... I think you can still access Identity Center even if it is in a region you don't select but I've never tested this.
Activate the "Deny Region Setting", read the fine print on that in case you aren't actually starting from scratch.
Create the single security OU, don't bother with the second OU. We will create that later with TF.
Create the Audit and Log Archive accounts. Choose to use IAM Identity Center and Organizational Cloud Trail.
Unless you have reason to back up you data for 10 year, I suggest 1 year for both S3 backups
Manage your backups manually, or you can set this up later, but skip for now.
Review everything, read the fine print, click "go", wait until everything is done.
Identity
You should now have a Control Tower and IAM Identity Center setup. Next up, create a new OU called Identity and a new account in Identity. This will be used for delegated access.
Billing
Setup Consolidated Billing Access for IAM users.
StackSet Management
Under AWS Organizations > Services enable the CloudFormation StackSets managed. You want to register a delegate and use the Identity Account as the delegate. This will late be used to setup Terraform Cloud, CloudFlare or similar in the account.