Skip to content
AWS introduction 3 min read

Getting Started & the CLI

This page takes you from zero to a working, securely configured AWS CLI. Getting the account setup right - especially how you treat the root user - prevents the most expensive and dangerous mistakes new builders make.

Creating an account

  1. Go to aws.amazon.com and choose Create an AWS Account.
  2. Provide an email, a strong password, and an account name.
  3. Enter billing details. AWS requires a valid card even for Free Tier usage and places a small temporary authorization hold.
  4. Verify your identity by phone, then select the Basic (free) Support plan.

Your account is now active with a root user identity tied to that email address.

Root user vs IAM user

The root user has unrestricted, unconditional access to everything in the account, including billing and account closure. It cannot be limited by policy.

Never use the root user for daily work, and never create access keys for it. Treat root like the master key to a building - used only for the handful of tasks that strictly require it.

Immediately after sign-up:

  • Enable MFA on the root user (a hardware key or authenticator app).
  • Create an IAM admin user for yourself and do all routine work as that user.
  • Store the root credentials offline and walk away from them.

Tasks that genuinely require root include changing the account email, closing the account, and changing your support plan.

Installing the AWS CLI

The AWS CLI v2 is the supported, current major version. Install it for your platform.

# macOS (Homebrew)
brew install awscli

# Linux (x86_64)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

# Verify
aws --version

Output:

aws-cli/2.17.0 Python/3.12.4 Linux/6.5.0 exe/x86_64.ubuntu.24

Configuring credentials

Create an access key for your IAM user in the IAM console (Users → Security credentials → Create access key), then run:

aws configure

You’ll be prompted for four values:

AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: json

This writes to ~/.aws/credentials (keys) and ~/.aws/config (region, output format).

Access keys are long-lived secrets. Never commit them to Git, embed them in code, or paste them into chats. On EC2, Lambda, or ECS, use IAM roles instead of keys - they rotate automatically and never touch disk.

Verifying your identity

Confirm the CLI is authenticated and see exactly which identity you’re acting as:

aws sts get-caller-identity

Output:

{
    "UserId": "AIDAEXAMPLE1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/devcraftly-admin"
}

This is the single most useful command for answering “who am I and in which account?” - run it whenever a permissions error surprises you.

Named profiles

Most engineers work across multiple accounts (dev, staging, prod). Named profiles keep credentials cleanly separated.

aws configure --profile prod

Then target a profile per command, or set it for the session:

# Per command
aws s3 ls --profile prod

# For the whole shell session
export AWS_PROFILE=prod
aws sts get-caller-identity

Your ~/.aws/config ends up looking like this:

[default]
region = us-east-1
output = json

[profile prod]
region = eu-west-1
output = json

For human access at scale, prefer AWS IAM Identity Center (SSO) with aws configure sso over static keys. It issues short-lived credentials and centralizes access across accounts.

You now have a secured account and an authenticated CLI. Next, we go deep on IAM - the foundation of everything you’ll build.

Last updated June 1, 2026
Was this helpful?