guest@ctrl-alt-secure: ~$

$ Setting Up AWS CLI - First Steps in Cloud Security

Setting Up AWS CLI: My First Steps into Cloud Security

Published: October 15, 2025 | Status: ✅ Complete | Platform: Linux & macOS

Prerequisites: You'll need an AWS account (with root account web console access) to follow this guide. You do NOT need CLI access yet - that's what this guide sets up. If you don't have an AWS account yet, you can create one for free and get started with the AWS Free Tier.

As I begin my journey into cloud security and GRC engineering, I know that hands-on experience is crucial. Today, I'm documenting my first practical step: getting AWS CLI set up on my computer. This is the foundation that will let me interact with AWS services, run security checks, and build automated compliance tools.

Why AWS CLI First?

Before jumping into fancy security tools and compliance frameworks, I figured I should start with the basics. AWS CLI is like a remote control for AWS - it lets me:

  • Talk to AWS services from my command line
  • Write scripts to check security settings
  • Look at cloud resources to find compliance issues
  • Set up automated security scans

Installation Process

Step 1: Prerequisites Check

I started by ensuring I had the right environment:

# Check if unzip is available (needed for installation)
which unzip

# Verify you're on a supported OS (Linux/macOS/Windows)
uname -a

Step 2: Download AWS CLI v2

AWS CLI v2 is the recommended version as it includes more security features and better integration capabilities. Note: AWS CLI v2 does not require Python - it's a standalone binary.

For Linux:

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

For macOS (both Intel and Apple Silicon):

curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
sudo installer -pkg AWSCLIV2.pkg -target /

Step 3: Verify Installation

# Check version
aws --version

# Should output something like: aws-cli/2.x.x Python/3.x.x Linux/x86_64
# (or Darwin/x86_64 for macOS)

Step 4: Configuration & Setup

Option A: New AWS Account (No CLI Access Yet)

If you're setting up AWS CLI for the first time:

  1. Use AWS Console to create your first IAM user (requires root account access)
  2. Generate access keys in the AWS Console (as root user)
  3. Configure CLI with those credentials

Detailed Console Steps:

  1. Go to AWS ConsoleIAMUsersCreate User
  2. Choose a username (e.g., cli-user) and click Next
  3. Attach permissions - For learning purposes, attach ReadOnlyAccess policy. (Note: You don't need iam:CreateAccessKey permission because you'll generate the access keys while logged in as root in step 5)
  4. Create user and note the user ARN
  5. Generate access keys - Go to the user's Security credentials tab and create access keys
  6. Download/save the keys securely (you won't see the secret key again)
aws configure

What aws configure will ask for:

  • AWS Access Key ID - Your access key from the IAM user
  • AWS Secret Access Key - Your secret key from the IAM user
  • Default region name - Like us-east-1 or us-west-2
  • Default output format - Usually json is fine

Option B: Existing AWS Access

If you already have AWS CLI access or admin permissions:

# Create a dedicated user for CLI work
aws iam create-user --user-name your-iam-user-name

# Give it minimal permissions to start
aws iam attach-user-policy --user-name your-iam-user-name --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

# Note: For basic CLI operations and verification, ReadOnlyAccess should be sufficient.
# If you plan to perform other AWS operations (like creating resources), you'll need additional permissions.

# Generate access keys for this new user
aws iam create-access-key --user-name your-iam-user-name

# Switch AWS CLI to use the new user's keys
aws configure

Important: Never use root account credentials for CLI operations! Root accounts have unrestricted access and should only be used for specific account-level tasks.

What I Learned

  1. AWS has a lot of moving parts - Even getting started involves IAM, CLI setup, and permissions
  2. Security matters from day one - Every step needs you thinking about access control
  3. Root accounts are for setup only - Create IAM users immediately and never use root for CLI
  4. Different operating systems need different approaches - Linux uses .zip installer while macOS uses .pkg installer
  5. AWS CLI v2 is way better - It's a standalone program that doesn't need Python installed
  6. AWS docs are detailed but overwhelming - You really have to read carefully and test everything
  7. Test as you go - Don't assume commands work until you've verified them

What ReadOnlyAccess Allows vs. Doesn't Allow

ReadOnlyAccess allows you to:

  • View AWS resources (EC2 instances, S3 buckets, IAM users, etc.)
  • Run verification commands like aws sts get-caller-identity
  • Practice security auditing and compliance checking
  • List and describe resources across most AWS services

ReadOnlyAccess does NOT allow you to:

  • Create or modify resources (no EC2 instances, S3 buckets, etc.)
  • Delete anything
  • Change IAM settings or user permissions
  • Modify security groups or networking

Verification Commands

Here are some commands I used to verify everything works:

# List available regions
aws ec2 describe-regions --query 'Regions[*].RegionName' --output table

# Expected output shows available regions like:
# -------------------
# |  RegionName     |
# -------------------
# |  us-east-1      |
# |  us-west-2      |
# |  eu-west-1      |
# -------------------

# Check current configuration
aws configure list

# Expected output shows your configured settings:
# Name                    Value             Type    Location
# ----                    -----             ----    --------
# profile                <not set>             None    None
# access_key     ****************ABCD shared-credentials-file
# secret_key     ****************EFGH shared-credentials-file
# region                us-east-1      config-file    ~/.aws/config

# Test basic API call
aws sts get-caller-identity

# Expected output (confirms you're authenticated):
# {
#     "UserId": "AIDAI...",
#     "Account": "123456789012",
#     "Arn": "arn:aws:iam::123456789012:user/cli-user"
# }

Troubleshooting

Common issues and solutions:

If aws configure fails:

  • Invalid credentials - Double-check your access keys in AWS Console
  • Permission denied - Ensure your IAM user has the necessary permissions
  • Network issues - Verify internet connection and AWS service availability

If commands return access denied:

  • Verify your IAM user has the required permissions
  • Check that you're using the correct access keys
  • Ensure MFA is properly configured if required

If you need to generate new access keys:

  • Go to AWS Console → IAM → Users → [your-user] → Security credentials
  • Delete existing keys and create new ones
  • Update your CLI configuration with the new keys

Security Next Steps

Once your IAM user is working properly:

  1. Enable MFA on your root account - Go to AWS Console → Security credentials → Enable MFA
  2. Log out of root and use only your IAM user going forward
  3. Only log back into root for account-level tasks (billing, account settings, closing account)

Next Steps

With AWS CLI configured, you're ready to:

  • Explore AWS security services (Security Hub, GuardDuty, Config)
  • Practice querying resources for compliance checks
  • Learn Infrastructure as Code with Terraform or CloudFormation

This is the first in my series of learning logs as I build practical cloud security skills. Follow along as I progress from basic CLI usage to advanced GRC automation!

GRC Mode: ACTIVE System Online