AWS Console Setup Guide
Step-by-step guide to set up all AWS services through the web console
Prerequisites
š° Costs & Cleanup - READ FIRST
- Free Tier limits for each service
- Estimated monthly costs
- How to properly delete resources
- How to set up billing alerts
Overview
This guide walks you through setting up all AWS services needed for this application using the AWS Management Console. By the end, you'll have:
- An IAM user with proper permissions
- An S3 bucket for file storage
- An SQS queue for message processing
- A Cognito User Pool for authentication
- A CloudWatch Log Group for logging
- A Secrets Manager secret for secure configuration
Region Consistency
Cost: IAM is completely FREE. No charges for users, roles, or policies.
AWS Recommendation: IAM Identity Center
Use IAM users (shown below) for:
- Service accounts for applications running outside AWS
- Third-party tools that don't support IAM roles
- Learning and development environments
Create a dedicated IAM user for your application with only the permissions it needs. Never use your root account credentials in applications.
Navigate to IAM
Search for 'IAM' and click on 'IAM' service. Note: For human users, AWS now recommends IAM Identity Center instead.
Create User
Click 'Users' in the left sidebar, then 'Create user' button.
Set User Details
Enter username (e.g., 'my-app-service-account'). Leave 'Provide user access to AWS Management Console' unchecked for programmatic-only access. Click 'Next'.
Set Permissions
Select 'Attach policies directly'. Search and add required policies (see below). Click 'Next'.
Review and Create
Review the user configuration and click 'Create user'.
Create Access Keys
Click on the new user, go to 'Security credentials' tab, scroll to 'Access keys', click 'Create access key'. Select 'Application running outside AWS' use case.
Save Credentials
Download the .csv file or copy the Access Key ID and Secret Access Key immediately - the secret is shown only once!
Required IAM Policies
Attach these AWS managed policies to your user:
| Policy Name | Purpose |
|---|---|
AmazonS3FullAccess | S3 file operations (or create custom policy for specific bucket) |
AmazonSQSFullAccess | SQS queue operations |
AmazonCognitoPowerUser | Cognito user management |
CloudWatchLogsFullAccess | CloudWatch logging |
SecretsManagerReadWrite | Secrets Manager access |
Production Best Practice
Custom IAM Policy (Recommended)
For tighter security, use this custom policy instead:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
},
{
"Sid": "SQSAccess",
"Effect": "Allow",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:*:*:YOUR-QUEUE-NAME"
},
{
"Sid": "CognitoAccess",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminInitiateAuth",
"cognito-idp:SignUp",
"cognito-idp:ConfirmSignUp",
"cognito-idp:InitiateAuth"
],
"Resource": "arn:aws:cognito-idp:*:*:userpool/*"
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:log-group:/YOUR-APP/*"
},
{
"Sid": "SecretsManager",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:YOUR-APP/*"
}
]
}7. Final Environment Variables
After setting up all services, your .env.local file should look like this:
# AWS Core Configuration
AWS_REGION=ap-southeast-1
AWS_ACCESS_KEY_ID=AKIA...your-access-key...
AWS_SECRET_ACCESS_KEY=...your-secret-key...
# S3 Configuration
AWS_S3_BUCKET_NAME=my-app-uploads-2025
# SQS Configuration
AWS_SQS_QUEUE_URL=https://sqs.ap-southeast-1.amazonaws.com/123456789012/my-app-queue
# Cognito Configuration
AWS_COGNITO_USER_POOL_ID=ap-southeast-1_AbCdEfGhI
AWS_COGNITO_CLIENT_ID=1abc2def3ghi4jkl5mno6pqr
# CloudWatch Configuration
AWS_CLOUDWATCH_LOG_GROUP=/my-app/production/logs
# Secrets Manager Configuration
AWS_SECRET_NAME=my-app/production/secretsSecurity Best Practices
- Never commit
.env.localto git - Add
.env.localto your.gitignore - Rotate access keys every 90 days or sooner
- Use IAM roles instead of access keys when running on AWS (EC2, ECS, Lambda)
- Consider IAM Roles Anywhere for workloads outside AWS (uses X.509 certificates for temporary credentials)
- Prefer temporary credentials over long-term access keys whenever possible
Quick Reference: Console URLs
| Service | Console URL |
|---|---|
| IAM | console.aws.amazon.com/iam |
| S3 | s3.console.aws.amazon.com |
| SQS | console.aws.amazon.com/sqs |
| Cognito | console.aws.amazon.com/cognito |
| CloudWatch | console.aws.amazon.com/cloudwatch |
| Secrets Manager | console.aws.amazon.com/secretsmanager |
Cost Summary
Here's a quick reference for the services created in this guide:
| Service | Free Tier | After Free Tier | Risk Level |
|---|---|---|---|
| IAM | Always Free | Free forever | None |
| S3 | 5GB/12 months | $0.023/GB/month | Low |
| SQS | 1M requests/month forever | $0.40/million | Very Low |
| Cognito (Lite) | 50,000 MAUs forever | $0.0055/MAU | Low |
| CloudWatch Logs | 5GB/month | $0.50/GB ingested | Medium |
| Secrets Manager | None | $0.40/secret/month | Ongoing Cost |
Don't Forget to Clean Up!
Next Steps
- IMPORTANT: Read the Costs & Cleanup Guide to understand billing and cleanup
- Test your setup using the Interactive Demos
- Learn about deploying with AWS Copilot
- Set up Infrastructure as Code with Terraform