A concise, CLI‑oriented baseline to secure a brand‑new AWS account. Start at the top and work down. You can bootstrap from the root user in CloudShell, then switch to your own Admin IAM user.

• 00 — Root in CloudShell Quickstart: docs/00-cloudshell-root-quickstart.md
• 01 — Root Account Hardening (MFA, no root keys, contacts): docs/01-root-hardening.md
• 02 — Create Your Admin IAM User: docs/02-iam-admin-user.md
• 03 — Configure the AWS CLI: docs/03-aws-cli-setup.md
• 04 — Quick Guardrails (S3 PAB, EBS encryption, CloudTrail): docs/04-guardrails.md
• 05 — Budget via CloudFormation (SNS email): docs/05-budgets-cloudformation.md

• If bootstrapping from CloudShell as root, begin with: docs/00-cloudshell-root-quickstart.md
• Otherwise, start at: docs/01-root-hardening.md

Set region (example) and verify identity after configuring the CLI:

export AWS_REGION=us-east-1
aws sts get-caller-identity

Notes:

• Never create root access keys. Use root only for account/contract tasks.
• Deploy Budgets via CloudFormation in us-east-1.
• Many services are regional. Keep AWS_REGION set consistently.

• Preferred AWS region (e.g., us-east-1)
• Notification email for budget alerts
• Initial monthly budget amount in USD

• docs/ — step-by-step hardening guides
• cloudformation/billing-budget-sns.yaml — monthly cost budget with SNS email