Skip to content
AWS Lambda Managed Instances Walkthrough

AWS Account

Progress checklist

This walkthrough creates a VPC
Virtual Private Cloud — an isolated, private network in AWS where your Lambda Managed Instances and related resources run. , CAPACITY-PROVIDER
Lambda Capacity Provider — an EC2-backed compute resource pool (subnets, security groups, operator role) that Lambda Managed Instances functions run on instead of shared Lambda infrastructure. , LAMBDA
AWS Lambda — a serverless compute service that runs code in response to events without provisioning servers. functions, and related IAM
Identity and Access Management — the AWS service that controls permissions and roles for all resources. resources. You need an AWS
Amazon Web Services — the cloud platform used throughout this walkthrough. account with permissions to provision all of these. Root access is only needed for initial setup — you’ll create a dedicated user (or use IAM Identity Center) for all day-to-day work.

  1. Create or sign in to an AWS account. Required

    If you don’t have an account yet, sign up at aws.amazon.com. Account creation is free — you only pay for the resources you create.

    If you already have an account, sign in as the root user (or an admin) to complete the steps on this page.

  2. Enable MFA on the root user. Recommended

    The root user has unrestricted access to everything in the account. Protect it before doing anything else.

    In the AWS Console:

    • Click your account name (top right) → Security credentials
    • Under Multi-factor authentication (MFA), choose Assign MFA device
    • Choose Authenticator app (e.g. Google Authenticator, 1Password, Authy) or a hardware key
    • Follow the prompts to scan the QR code and enter two consecutive OTP codes to confirm

    After MFA is set up, sign out and sign back in to verify it works.

  3. Create a dedicated IAM user or use IAM Identity Center for day-to-day work. Required

    Avoid running Terraform or the AWS CLI as the root user. Create a dedicated identity instead:

    IAM user path (simpler, access keys):

    • In the Console: IAM → Users → Create user
    • Set a user name (e.g. lmi-admin)
    • Attach a policy — for the walkthrough use AdministratorAccess (or scope it to VPC, Lambda, IAM, EC2, S3, and related services you plan to use)
    • Under Security credentials: Create access key → choose CLI use case → note the Access Key ID and Secret Access Key

    You will enter these into aws configure in the AWS CLI step.

  4. Enable billing alerts. Recommended

    NAT gateways, EC2 capacity for MANAGED-INSTANCES
    Lambda Managed Instances — a Lambda execution mode where functions run on dedicated EC2-backed instances in your VPC, providing higher concurrency (up to 64 req/vCPU), more memory (up to 32 GiB), and predictable resource isolation.     , and other resources incur cost. Set up a billing alert so you’re notified if spend exceeds a threshold.

    In the Console:

    • Billing and Cost Management → Budgets → Create a budget
    • Choose Cost budget, set a monthly threshold (e.g. $50 USD), and add an email alert

  5. Choose and note your AWS region. Required

    Pick one region for the entire walkthrough. This walkthrough uses ap-southeast-2 (AWS Asia Pacific — New Zealand). All CLI commands and Terraform will use this region as the default.

    Note it down — you’ll enter it during aws configure and in your Terraform variables.

Next step

Section titled “Next step”

Continue to IAM Identity Center to set up centralised access and short-lived credentials, or skip ahead to AWS CLI if you are using an IAM user with access keys only.