# SALZ: Create a new AWS account for AMS The five steps to creating a new AWS account for AWS Managed Services (AMS) are: 1. [Create an AWS account](create-account.md) 1. [Set up consolidated billing–link new account to Payer account](set-up-consolidated-billing.md) 1. [Configure your AWS account for AMS access](configure-aws-account-for-sent.md) 1. [Secure the new account with multi-factor authentication (MFA) for the root user in AMS](sog-secure-new-account-with-mfa.md) 1. [Subscribe to AWS Marketplace for EPS](subscribe-to-marketplace-for-eps.md) Please contact your customer service delivery manager (CSDM) if you have any questions. # Create an AWS account The AMS program requires the provisioning of a new Amazon Web Services (AWS) account. Step by step instructions are available in the following video: [ How do I create and activate a new Amazon Web Services account?](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/) The simple steps are: ## Sign up for an AWS account If you do not have an AWS account, complete the following steps to create one. **To sign up for an AWS account** 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. ## Create a user with administrative access After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. **Secure your AWS account root user** 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*. 1. Turn on multi-factor authentication (MFA) for your root user. For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*. **Create a user with administrative access** 1. Enable IAM Identity Center. For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*. 1. In IAM Identity Center, grant administrative access to a user. For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*. **Sign in as the user with administrative access** + To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. **Assign access to additional users** 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. 1. Assign users to a group, and then assign single sign-on access to the group. For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*. **Note** If you already have an account, you can go to the [AWS Pricing](https://aws.amazon.com/pricing/) page and click **Create a Free Account**. *Be sure to sign up* for the **EC2 Service**, at least. Signing up for one service allows you access to all services in AWS. You are charged only for the services that you use. If you plan to link your new account to a payer account for the purposes of consolidated billing, you do not need to enter payment method information when prompted. Instead, once you reach the screen to enter credit card information, simply navigate away. You will need the email address associated with the payer account to send a consolidated billing/linked account request which is detailed in the next section. **Important** It is critical that you ensure that an email address and phone number are associated with the account so you receive responses to potential security incidents. The phone number and email address for the account cannot be changed without resetting the account password, which is a significant undertaking for an AMS root account. To ensure that these values are stable, it is critical to select contact information not associated with individuals, which can change. Choose an email alias that can point to a group. Follow this same best practice in selecting a phone number: choose a number that can point to a group or to a number owned by the company and not an individual. # Set up consolidated billing–link new account to Payer account If you'd like your new AMS-managed AWS account bill to be rolled into a payment for an existing AWS Organizations management account, you need to set up consolidated billing and link the accounts. For details on doing this, see + [Consolidated billing for AWS Organizations](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html) and [AWS Multi-Account Billing Strategy](https://d0.awsstatic.com/aws-answers/AWS_Multi_Account_Billing_Strategy.pdf). + [Inviting an AWS account to join your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html) **Note** You can perform these steps before doing the account handover to AMS. After the handover, the steps for joining your organization (provided above) can be done through the change management process. Consult with your cloud service deliver manager (CSDM) or cloud architect (CA) if you need assistance. For general billing information including managing consolidated billing, see [What is AWS Billing](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html). For general AWS Organizations information about how accounts can work together, see [What is AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). For prescriptive guidance on AWS Organizations management accounts, see [The management account, trusted access, and delegated administrators](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/management-account.html) # Configure your AWS account for AMS access With the above steps completed, you’ve successfully secured your new AWS account and ensured associated costs are billed appropriately. The final step in the process is to allow AMS access to the new account for initial stack configuration and for ongoing change and provisioning requests to be fulfilled. For details, read [Delegate Access Across AWS Accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html). The basic steps are described in this section. # Activate access to the AWS website In order to grant your IAM users access to your account's billing information and tools, you must activate the functionality. Follow these steps: 1. Sign in to the AWS Management Console with your *root account* credentials (the email and password that you used to create your AWS account). Don't sign in with your IAM user credentials. The AWS Management Console home page opens. 1. In the top navigation bar, open the drop-down menu for your account name, and then choose **My Account**. The Billing home page opens. 1. Scroll down to the **IAM User Access to Billing Information** area, and click **Edit** on the right side. **The area does not appear unless you are logged in with root credentials**. An **Activate IAM access** area opens. 1. Select the check box and click **Update**. You can now use IAM policies to control which pages a user can access. For more details on this process in AWS, see [Overview of managing access permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html). # Create an IAM role with access to the AWS website AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization). 1. Go to the [IAM Management Console](https://console.aws.amazon.com/iam/home?#home), click **Roles** in the left nav pane. The Roles management page opens with information about IAM roles, a **Create role** option, and a list of existing roles. ![\[IAM roles explanation with examples of trusted entities and additional resources.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/iamConsoleRoles.PNG) 1. Click **Create role**. The Create role **Select type of trusted entity** page opens. Click **Another AWS account** and a settings area opens up below. Enter the AMS trusted **Account ID** provided to you by AMS. Leave the **Require external ID** and **Require MFA** options de-selected. ![\[Interface for creating a role, showing options to select trusted entity types for AWS accounts.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/iamConsoleCreateRole.PNG) 1. Click **Next: Permissions**. The Create role **Attach permissions policies** page opens with options for creating a new policy, refreshing the page, and searching existing policies. A list of existing policies is provided. ![\[Policy list showing AdministratorAccess with full AWS service access description.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/iamConsoleCreateRolePermissionsDetail.PNG)   1. Select the **AdministratorAccess** policy and then click **Next: Review**. The Create role **Review** page opens. ![\[Role creation interface showing name, description, trusted entity, and policy fields.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/iamConsoleCreateRoleReview.PNG) 1. Name the new role **aws\$1managedservices\$1onboarding\$1role** and type "AMS Onboarding Role" for the **Role description**. Review the settings for the new role and, if satisfied, click **Create role**. The role management page opens with your new role listed. # Subscribe to AWS Marketplace for EPS Recent changes to AMS endpoint security (EPS) require you to subscribe to TrendMicro Deep Security through the AWS Marketplace and accept the software terms. TrendMicro offers two license models: Per Protected Instance Hour and Bring your own License (BYOL). + **BYOL**: 1. You use your own license that you have purchased through external channels. 1. You must provide all the license keys to AMS to build the EPS infrastructure. You can provide an activation code that licenses all modules, or individual activation codes that license a certain set of modules. AMS creates only the license files that correspond with the activation codes you provide. Since the license activation occurs during onboarding, in the presence of an AMS lead engineer and CSDM, you can share that information then. 1. Additionally, you must subscribe to BYOL TrendMicro Market Place AMI Subscription. See [Trend Micro Deep Security (BYOL)](https://aws.amazon.com/marketplace/pp/B00OCI4H82/ref=dtl_recsim_B00OCI4J0I_B00OCI4H82_2). + **Per Protected Instance Hour**: 1. In this subscription, you are not required to have any previously-procured Trend license. 1. However, you must subscribe to the Marketplace subscription. 1. No license key sharing with AMS is required in this model, as the Trend usage is metered automatically including the software license \$1 EC2 infrastructure usage. See [Trend Micro Deep Security](https://aws.amazon.com/marketplace/pp/B01AVYHVHO). To subscribe to Trend Micro, follow these steps: 1. Login into your AWS account. 1. Navigate to Trend Micro Deep Security ([BYOL](https://aws.amazon.com/marketplace/pp/B00OCI4H82/ref=dtl_recsim_B00OCI4J0I_B00OCI4H82_2) or [Per Protected Instance Hour](https://aws.amazon.com/marketplace/pp/B01AVYHVHO)) product page. 1. Click **Continue to Subscribe** in the right panel. 1. Click **Accept Terms** in the upper right corner. # Enable IDS and IPS in Trend Micro Deep Security You can request that AMS enable Trend Micro Intrusion Detection System (IDS) and Intrusion Protection Systems (IPS), non-default features, for your account. To do this, submit an update request (Management \$1 Other \$1 Other \$1 Update) and include a list of email addresses to receive IDS and IPS notifications. These addresses are added to an SNS topic in your account, which AMS creates for you. **Note** AMS cannot add any Trend Micro service that might interfere with our ability to provide other AMS services. Next step: [Secure the new account with multi-factor authentication (MFA) for the root user in AMS](sog-secure-new-account-with-mfa.md) # Subscribe to AWS Marketplace for CentOS 7.6 AMS now provides the CentOS 7 (x86\$164) - with Updates HVM sold by Centos.org, as an AMS AMI. In order to utilize this AMI, you must opt in to the FREE Cent OS license, and accept the license on all your AMS accounts. To subscribe, go to [AWS Marketplace](https://aws.amazon.com/marketplace) and follow the instructions for opting-in. You will not incur software charges for using this product, but you are still responsible for other AWS charges, including EC2 usage. If this is a "Bring Your Own License" product you must have a valid software license in order to use it. You can review information for this software at [CentOS 7 (x86\$164) - with Updates HVM](https://aws.amazon.com/marketplace/pp/ref=bill_eml_1?sku=aw0evgkw8e5c1q413zgy5pjce). # Secure the new account with multi-factor authentication (MFA) for the root user in AMS Secure the new account with multi-factor authentication (MFA) for the root user This section has been redacted because it contains sensitive AMS security-related information. This information is available through the AMS console **Documentation**. To access AWS Artifact, you can contact your CSDM for instructions or go to [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started).