This section summarises AWS registration and creating users in IAM.
In the previous section, I selected Amazon Lightsail as the hosting service and explained the process up to the actual use of the service.
As it is my first time using AWS, I have a limited understanding of the basic concepts and terminology, and there are some things I did not understand before using the service, but when I actually try it, I find it very easy to use.
When actually using AWS, you do not simply install and use each functionality with the account you registered with after registration.
You need to create a ‘separate account’ with execution rights for AWS functions, access AWS services with the ‘separate account’ you created, install services and instances, and configure settings before actually using them. The ‘separate account’ created is used to access AWS services, install and configure services and instances, and actually use them.
The function to create and manage these ‘separate accounts’ with execution rights is called
IAM > formally AWS Identity and Access Management.
I also use a ‘separate account’ that can run instances created in IAM.
- Set up Drupal on Lightsail
- Acquire domain with Route53
- Set up DNS in Lightsail
- Set up email accounts with Amazon Work Mail
- Set up email delivery with Amazon Simple Email Service
The above settings are in place.
If you have never used AWS before, when you read the AWS documentation, what is this IAM? This is a function that, until I actually used it, I didn't really understand why it was necessary.
This time, after registering with AWS, I will summarise IAM for managing different accounts with execution rights.
Lightsail is also an AWS service, so you need to create an account with AWS to use it.
First, register with AWS to get an account.
- Go to https://aws.amazon.com/jp/ and click on ‘Sign up now for free’ at the top right of the page.
- AWS New Sign Up will open. Select Japanese in the language field at the top right of the page.
- Specify the email address you want to use for the root user's email address and enter a new account name.
- Click Confirm email address.
- Log in to AWS and enter your contact details, including personal/corporate, name, address and mobile phone number.
- Enter your credit card details.
- After signing up, you will receive a four-digit verification number via social networking on your mobile phone.
- Enter this verification code and then select the support plan displayed.
- Signing up opens the AWS console screen.
- Set up your login password, two-step verification and other settings.
This creates an AWS account. This account will be the root account in the following sections.
After registering with AWS, you need to set up users who will actually use AWS functions in IAM, which is a function for managing users.IAM is officially called AWS Identity and Access Management, and is a function for setting permissions for AWS functions: in AWS, this is expressed as resources: IAM is the ability to set permissions for each user to use AWS functions: described as resources in AWS.
In the AWS base, the registrant is recognised as the user with full rights, known as the root. In the case of an individual, the registrant actually builds the website, but it is necessary to have a separate user who is identical to the actual registrant and has access to all AWS functions.
The reason for this is from a security perspective and the need for an emergency role to be able to access and restore services in the event of an emergency, such as the account that is used for daily access becoming unavailable, and this role is given to the registrant who has full authority.
By using a separate account from the registrant's account to actually access AWS functions, such as building systems, we separate the account that does the actual work from the account that has full authority to respond to emergencies, thereby providing security and emergency countermeasures.
Below is a summary of the concept of AWS root accounts and IAM-acquired accounts.
3-1.Concepts of AWS and IAM.
Root [ AWS ]
// Root user = Registrant > Used as an account that has full rights and can set billing and user permissions, but is not normally used.
// e.g.) Register with AWS under the account Takeda_Admin and perform basic AWS configuration, but do not use the instance.
Root > [ AWS Identity and Access Management(IAM) ]
// The initial IAM configuration is set up by the registrant, Takeda_Admin, on the AWS administration screen.
Root > IAM > [ Group ]
// Groups to which IAM users belong. Set the AWS features available for each group.
// Create a group called admin, a group with full AWS functionality
Root > IAM > Group > [ Users ]
// IAM > Groups > Users.
// Depending on your use case, create one account if you are an individual. For permissions, select permissions that allow access to all AWS services, with the exception of billing management. This will be the account that allows you to select, install and configure instances. The account created here will be used as the account to run the AWS instance.
// e.g.) Create an account named Takeda_iam01 in the admin group you created and set permissions to use full AWS functionality.
3-2.Actual use.
// Root user login.
https://signin.aws.amazon.com/console
The IAM login screen will appear, but ‘Select Sign in using root user email.’
// Not normally used.
// User login configured in IAM.
https://<12 digit number>.signin.aws.amazon.com/console
Login via the URL prefixed with the 12-digit IAM account.
Usually login here and use this account to add instances and configure settings.
// I also use this account for all Drupal installations in Lightsail and DNS settings in Route53.
- AWS registration Set up billing and other information: this registrant is the root account.
- In the root account, use IAM to create a ‘non-root execution account with execution rights’.
- In the above configuration diagram, the root account is assumed to be ‘Takeda_Admin’.
- The account created with IAM will be the account that uses AWS from now on.
- The account created in IAM that will actually use AWS is assumed to be ‘Takeda_iam01’.
- Sign in to ‘https://<12 digit account>.signin.aws.amazon.com/console’ with ‘Takeda_iam01’.
- From here, you will install Lightsail and Drupal.
Reference:Amazon Web Service Login
The above process creates an account for daily use of AWS with IAM. The created account is used to install, configure and run the desired instance on AWS.
When looking at IAM vaguely from the outside, it is difficult to understand its necessity, but when you actually use it, it is well thought out in terms of security and emergency response.
Originally, when many people use AWS to build and manage systems, it is a function for managing the authority of each person in charge of the system, and it is an instance with functions for managing large-scale development and large-scale system applications.
Below are links to the official guides on AWS registration and IAM, summarised in this article.
AWS Accounts > Official User Guide / English
From account creation, you manage security policies and users running in IAM. Credit card details are registered here and billing is also managed here.
IAM > Official User Guide
Use AWS by creating a separate account that can manage and run instances instead of using the root account on a daily basis.
- Obtaining an AWS account > Billing and user management
- Execution users configured in IAM > Installation and configuration of each instance
and created an executable user, you are now in an environment where you can install Drupal in Lightsail on your AWS account.
This time, by registering with AWS and following AWS's instructions to create a separate account to actually use AWS with IAM, apart from the registered account, I was able to understand the function, meaning and necessity of IAM. Now that the environment is ready to run future instances of AWS with the execution account created with IAM, the next section will summarise the selection of Lightsail and the installation of Drupal.
Installing Lightsail and Drupal.
In the next section, we will install Drupal on Lightsail.