AWS Account

Progress checklist

• AWS account created or confirmed available
• MFA enabled on the root user
• IAM user or IAM Identity Center access created for day-to-day use
• Billing alerts enabled and default region chosen

This walkthrough creates a VPC VPC
Virtual Private Cloud — an isolated, private network in AWS where your cluster resources run. , an EKS EKS
Elastic Kubernetes Service — AWS-managed Kubernetes control plane; you manage nodes and workloads, AWS runs the API server, etcd, and scheduler. cluster, node groups, and related IAM IAM
Identity and Access Management — the AWS service that controls permissions and roles for all resources. resources. You need an AWS AWS
Amazon Web Services — the cloud platform used throughout this walkthrough. account with permissions to provision all of these. Root access is only needed for initial setup — you’ll create a dedicated user (or use IAM Identity Center) for all day-to-day work.

1. Create or sign in to an AWS account. Required

   If you don’t have an account yet, sign up at aws.amazon.com. Account creation is free — you only pay for the resources you create.

   If you already have an account, sign in as the root user (or an admin) to complete the steps on this page.

2. Enable MFA on the root user. Recommended

   The root user has unrestricted access to everything in the account. Protect it before doing anything else.

   In the AWS Console:

   • Click your account name (top right) → Security credentials
   • Under Multi-factor authentication (MFA), choose Assign MFA device
   • Choose Authenticator app (e.g. Google Authenticator, 1Password, Authy) or a hardware key
   • Follow the prompts to scan the QR code and enter two consecutive OTP codes to confirm

   After MFA is set up, sign out and sign back in to verify it works.

3. Create a dedicated IAM user or use IAM Identity Center for day-to-day work. Required

   Avoid running Terraform or the AWS CLI as the root user. Create a dedicated identity instead:

   Tip

   If you plan to do the full walkthrough including the Platform batch (ArgoCD), set up IAM Identity Center — it is required for ArgoCD’s OIDC credential flow. See the IAM Identity Center page. You can skip creating a long-lived IAM user if you use IAM Identity Center.

   IAM user path (simpler, access keys):

   • In the Console: IAM → Users → Create user
   • Set a user name (e.g. eks-admin)
   • Attach a policy — for the walkthrough use AdministratorAccess (or scope it to VPC, EKS, IAM, EC2, S3)
   • Under Security credentials: Create access key → choose CLI use case → note the Access Key ID and Secret Access Key

   You will enter these into aws configure in the AWS CLI step.

4. Enable billing alerts. Recommended

   EKS, NAT gateways, and node groups incur cost. Set up a billing alert so you’re notified if spend exceeds a threshold.

   In the Console:

   • Billing and Cost Management → Budgets → Create a budget
   • Choose Cost budget, set a monthly threshold (e.g. $50 USD), and add an email alert

5. Choose and note your AWS region. Required

   Pick one region for the entire walkthrough. This walkthrough uses ap-southeast-6 (AWS Asia Pacific — New Zealand). All CLI commands and Terraform will use this region as the default.

   Note it down — you’ll enter it during aws configure and in your Terraform variables.

   Note

   Not all services or EC2 instance types are available in every region. If you hit an “instance type not supported” error, try a different instance type within the same region.

Next step

Continue to IAM Identity Center to set up centralised access and short-lived credentials.