Skip to content
ABA Ops Compass

3.2 · Operations

AWS Setup Checklist

More actions

This is the step-by-step checklist to set up our AWS account for the regulated path of the platform. It is written so that someone who has never used AWS before can follow it end to end, and so that the business partner can read it cold and understand both what we are doing and why. Download the PDF version to share with the partner.

Before you start

Three things have to be in hand before opening AWS. If any of these are not yet in place, complete them first. The other todo-list items in the platform cover setting up the business email, phone, and address.

PrerequisiteWhy it matters
Business email addressUse the company domain, not a personal Gmail. The AWS account is business infrastructure and should be tied to a role-style address (e.g. aws@yourdomain.com) that survives any individual leaving.
Business credit cardAWS runs a $1 verification charge that is refunded. The business card keeps AWS expenses separate from personal spending and gives the business its own credit history with AWS.
Phone number reachable during signupAWS will text or call a verification code during account creation.

Step 1. Create the AWS account

  1. Go to aws.amazon.com and click "Create an AWS Account."
  2. Enter the business email and choose a strong password. Save the password in a password manager.
  3. When prompted, choose the Business account type, not Personal. This matters for billing structure and for the Business Associate Agreement later.
  4. Enter business name, address, and phone number.
  5. Enter the business credit card. AWS will run a $1 verification charge and refund it.
  6. Complete phone or text verification.
  7. Choose the Basic Support plan (free) for now. We can upgrade later if we need direct AWS support engineers.

Step 2. Secure the root account immediately

The email and password you just created own the entire AWS account and all its resources. Compromise of that login is the worst-case scenario. Lock it down before doing anything else.

  1. Log into the AWS console with the new root account.
  2. Click the account name in the top right corner and choose Security credentials.
  3. Enable multi-factor authentication on the root user. Use an authenticator app (1Password, Authy, Google Authenticator) or a hardware key.
  4. Confirm that no access keys exist for the root user. If any do, delete them.
  5. Sign out of the root account. From this point on, the root account is only used for tasks that explicitly require it (billing changes, account closure). Day-to-day work happens through a separate admin user.

Step 3. Set up billing alerts before anything can spike

AWS will let a bill grow indefinitely without warning unless you configure alerts. Do this on day one.

  1. In the AWS console, open Billing and Cost Management.
  2. Under Budgets, create a Cost budget.
  3. Set the four monthly thresholds below. Each threshold sends an email when crossed.
  4. Enable Cost Anomaly Detection for unusual spending patterns.
  5. Subscribe the business email and a phone number to these alerts.
ThresholdWhat it means in practice
$50Early warning. At our startup phase the entire bill should sit at or below this number, so crossing it is a signal to investigate.
$100Approaching the upper end of the expected startup phase. Confirm the spend is from real usage, not a misconfiguration.
$250Outside the expected startup band. Stop and audit before doing anything else.
$500Hard alert. Treat as a possible runaway loop or unauthorized access until proven otherwise.

Step 4. Sign the AWS Business Associate Agreement

This is the legal document that puts AWS inside our HIPAA chain. Without it, we cannot route Protected Health Information through any AWS service, regardless of how secure the services themselves are.

  1. In the AWS console, open AWS Artifact.
  2. Go to the Agreements tab.
  3. Find the AWS Business Associate Addendum.
  4. Review the agreement (it is templated; we are accepting AWS’s standard terms, not negotiating new ones).
  5. Accept the agreement. The signed BAA is stored inside AWS Artifact and available for download anytime.
  6. Record the signing date on our BAA Status page.

Step 5. Create an admin user (replace the root account for daily work)

  1. In the AWS console, open IAM (Identity and Access Management).
  2. Create a new user with the name "founder-admin" (or similar).
  3. Attach the AdministratorAccess managed policy.
  4. Enable multi-factor authentication on this user too.
  5. Create an access key for programmatic (CLI) access. Save the access key ID and secret key in the password manager.
  6. From this point on, log in through this admin user for daily work. Reserve root for billing and account-level tasks.

Step 6. Pick the AWS region

All HIPAA workloads need to live inside U.S. regions covered by the AWS BAA. We will use us-east-1 (N. Virginia) as the primary region. This is the largest, cheapest, and most feature-complete region. Backups can live in a secondary region (us-east-2 or us-west-2) for disaster recovery.

Step 7. Install the AWS CLI on the development machine

  1. Install the AWS CLI v2 following AWS’s official instructions for the operating system.
  2. Run aws configure and paste in the access key ID, secret key, region (us-east-1), and output format (json).
  3. Test with aws sts get-caller-identity. It should return the admin user’s identity.

What is next once the account is live

Once steps 1 through 7 are complete, the AWS account is ready for actual infrastructure work. We provision the items below in order. Each one has its own configuration steps that we will work through together once the account exists.

OrderResourceWhat we configure
1RDS Aurora Postgres databaseEncryption at rest, automated backups, private subnet, parameter group tuned for our workload.
2S3 buckets for clinic file uploadsPer-clinic bucket policies, server-side encryption, versioning, lifecycle policies for cold files.
3Bedrock model accessRequest access to Anthropic Claude models in the AWS console. Pin to U.S. regions covered by the agreement.
4Cognito user poolAuthentication, multi-factor configuration, group membership tied to clinic identity.
5IAM roles for the applicationShort-lived credentials scoped to exactly the resources the Next.js app needs to reach.
6CloudWatch log groupsRetention configured to six years per HIPAA. Scrubbing helper installed on the application side.
7Application wiringNext.js application code reads from RDS, writes to S3, calls Bedrock, authenticates through Cognito, and logs through the scrubbing helper.

Sharing this with the business partner

Download this page as a PDF using the toolbar at the top. The PDF is intended to give the partner a clean, complete view of the AWS setup we are committing to. It explains both the steps and the reasoning behind each step, so the partner does not have to take any of this on faith.