Phase 1 GUI: Infrastructure Foundation

What You'll Build in This Phase

AWS account with proper security (MFA enabled)

IAM admin user for daily operations

Cost budgets and alerts

VPC with public, private, and isolated subnets

Internet Gateway and NAT Gateways

Security Groups for all components

ECR repositories for Docker images

CloudTrail for audit logging

Step 1: AWS Account Setup

1.1

Create AWS Account

If you don't have an AWS account yet, let's create one. This is your gateway to all AWS services.

Browser Navigation

Open Browser Go to aws.amazon.com Click "Create an AWS Account"

1

Enter your Email address

Use a business email if possible (e.g., yourname@company.com)
2

Choose AWS account name

Example: helium-production
3

Verify your email and set a strong password

Use a password manager to generate and store it securely
4

Enter contact information

Choose "Professional" account type for business use
5

Add payment method (credit card)

AWS will charge $1 for verification (refunded immediately)
6

Complete identity verification (phone call or SMS)

Enter the PIN code you receive
7

Select Basic Support Plan (Free)

You can upgrade later if needed

Account Created! You'll receive a confirmation email. It may take a few minutes for your account to be fully activated.

1.2

Enable MFA on Root Account

Multi-Factor Authentication (MFA) adds an extra layer of security. This is CRITICAL for your root account.

⚠️ Security Critical! Never skip this step. Your root account has unlimited access to everything.

Console Navigation

AWS Console Top-right (your name) Security Credentials Multi-factor authentication (MFA)

1

Click "Assign MFA device" button
2

Enter device name: root-account-mfa
3

Select "Authenticator app"

Recommended apps: Google Authenticator, Microsoft Authenticator, Authy
4

Click "Show QR code"
5

Scan QR code with your authenticator app
6

Enter two consecutive MFA codes from your app

Wait for the code to refresh and enter the new one
7

Click "Add MFA"

Pro Tip

Save your MFA backup codes in a secure location (password manager). If you lose your phone, you'll need these to regain access.

1.3

Create IAM Admin User

Never use your root account for daily operations. Create an admin user instead.

Best Practice: Root account should only be used for account-level tasks (billing, closing account). Use IAM users for everything else.

Console Navigation

AWS Console Search "IAM" Click "IAM" Users (left sidebar) Create user

1

Click "Create user" button
2

User name: helium-admin
3

Check both boxes:

✓ Provide user access to the AWS Management Console
✓ I want to create an IAM user
4

Console password: Select "Custom password"

Create a strong password (use password manager)
5

Uncheck "Users must create a new password at next sign-in"
6

Click "Next"
7

Permissions: Select "Attach policies directly"
8

Search and check: AdministratorAccess

This gives full access to all AWS services
9

Click "Next" → Review → "Create user"
10

Download the .csv file with credentials

Store this securely - you'll need it to sign in

Important: Save Your Sign-In URL

Your IAM user sign-in URL will be: https://YOUR-ACCOUNT-ID.signin.aws.amazon.com/console
Bookmark this URL - you'll use it every time you sign in.

1.4

Enable MFA for Admin User

Now let's secure your admin user with MFA too.

Sign Out and Sign In: Log out from root account and sign in with your new IAM user (helium-admin) using the IAM sign-in URL.

Console Navigation

AWS Console (as helium-admin) Top-right (your name) Security credentials Multi-factor authentication (MFA)

1

Click "Assign MFA device"
2

Device name: admin-mfa
3

Select "Authenticator app" → "Next"
4

Scan QR code with your authenticator app
5

Enter two consecutive MFA codes
6

Click "Add MFA"

1.5

Create Access Keys for Programmatic Access

You'll need access keys for GitHub Actions CI/CD pipeline later.

Console Navigation

IAM Users helium-admin Security credentials tab Access keys section

1

Click "Create access key"
2

Use case: Select "Command Line Interface (CLI)"
3

Check the confirmation box

"I understand the above recommendation..."
4

Click "Next"
5

Description tag: GitHub Actions CI/CD
6

Click "Create access key"
7

Download the .csv file

⚠️ This is your ONLY chance to download the secret key!

Security Warning: Never commit access keys to Git or share them publicly. Store them in a password manager or GitHub Secrets.

Step 2: Set Up Cost Management

2.1

Enable Cost Explorer

Cost Explorer helps you visualize and understand your AWS spending.

Console Navigation

AWS Console Search "Cost Explorer" Click "Cost Explorer"

1

Click "Enable Cost Explorer" button
2

Wait for activation (takes about 24 hours for data to appear)

2.2

Create Budget Alerts

Set up budget alerts to avoid surprise bills. This is ESSENTIAL for cost control.

Console Navigation

AWS Console Search "Budgets" AWS Budgets Create budget

1

Click "Create budget" button
2

Budget setup: Select "Use a template (simplified)"
3

Template: Choose "Monthly cost budget"
4

Budget name: helium-production-monthly
5

Budget amount: $500

Adjust based on your expected usage (see cost estimates in overview)
6

Email recipients: Enter your email address

You'll receive alerts at 85% of budget
7

Click "Create budget"

Recommended Budget Thresholds

For better control, create custom budgets with alerts at 50%, 80%, and 100% of your budget. This gives you early warnings before costs get out of control.

Step 3: Create VPC (Virtual Private Cloud)

What is a VPC?
A VPC is your own private network in AWS. Think of it like your own data center in the cloud, completely isolated from other AWS customers.

3.1

Create VPC with VPC Wizard

AWS VPC Wizard makes it easy to create a complete VPC with all necessary components in one go.

Console Navigation

AWS Console Search "VPC" VPC Dashboard Create VPC

1

Click "Create VPC" button
2

Resources to create: Select "VPC and more"

This creates VPC, subnets, route tables, and gateways automatically
3

Name tag auto-generation: helium-production

This will prefix all resource names
4

IPv4 CIDR block: 10.0.0.0/16

This gives you 65,536 IP addresses
5

Number of Availability Zones: 2

For high availability and fault tolerance
6

Number of public subnets: 2
7

Number of private subnets: 2
8

NAT gateways: Select "1 per AZ"

⚠️ Costs ~$32/month per NAT Gateway (~$64/month total)
9

VPC endpoints: Select "None"

We'll add these later if needed
10

DNS options: Check both boxes

✓ Enable DNS hostnames
✓ Enable DNS resolution
11

Review the preview diagram on the right

Verify it shows 2 AZs, public/private subnets, IGW, and NAT gateways
12

Click "Create VPC"

This will take 2-3 minutes to create all resources

VPC Created! You now have a complete network infrastructure with public and private subnets across 2 availability zones.

3.2

Create Additional Isolated Subnets

We need isolated subnets for ElastiCache (Redis) that have no internet access.

Console Navigation

VPC Dashboard Subnets (left sidebar) Create subnet

Creating Isolated Subnet 1 (us-east-1a):

1

VPC ID: Select helium-production-vpc
2

Subnet name: helium-production-isolated-us-east-1a
3

Availability Zone: us-east-1a
4

IPv4 CIDR block: 10.0.20.0/24
5

Click "Add new subnet" to add the second one

Creating Isolated Subnet 2 (us-east-1b):

6

Subnet name: helium-production-isolated-us-east-1b
7

Availability Zone: us-east-1b
8

IPv4 CIDR block: 10.0.21.0/24
9

Click "Create subnet"

Why Isolated Subnets?

Isolated subnets have NO internet access (no NAT Gateway). This is perfect for databases and caches that should only be accessible from within your VPC.

3.3

Create Route Table for Isolated Subnets

Isolated subnets need their own route table with no internet route.

Console Navigation

VPC Dashboard Route tables (left sidebar) Create route table

1

Name: helium-production-isolated-rt
2

VPC: Select helium-production-vpc
3

Click "Create route table"
4

After creation, click the route table ID to open it
5

Go to "Subnet associations" tab
6

Click "Edit subnet associations"
7

Check both isolated subnets:

✓ helium-production-isolated-us-east-1a
✓ helium-production-isolated-us-east-1b
8

Click "Save associations"

Route Table Explanation

This route table only has the local route (10.0.0.0/16). No internet gateway or NAT gateway routes, so resources here can't access the internet.

Step 4: Create Security Groups

What are Security Groups?
Security Groups act as virtual firewalls, controlling what traffic can reach your resources. Think of them as bouncers at a club - they decide who gets in and who doesn't.

4.1

Create ALB Security Group

This security group controls traffic to your Application Load Balancer.

Console Navigation

VPC Dashboard Security groups (left sidebar) Create security group

1

Security group name: helium-alb-sg
2

Description: Security group for Application Load Balancer
3

VPC: Select helium-production-vpc
4

Inbound rules: Click "Add rule"

Add these inbound rules:

Type	Protocol	Port	Source	Description
HTTPS	TCP	443	0.0.0.0/0	Allow HTTPS from anywhere
HTTP	TCP	80	0.0.0.0/0	Allow HTTP (will redirect to HTTPS)

5

Outbound rules: Leave default (All traffic to 0.0.0.0/0)
6

Tags: Add Name = helium-alb-sg
7

Click "Create security group"

4.2

Create ECS Task Security Group

This security group controls traffic to your ECS containers (backend application).

Console Navigation

VPC Dashboard Security groups Create security group

1

Security group name: helium-ecs-task-sg
2

Description: Security group for ECS tasks
3

VPC: Select helium-production-vpc
4

Inbound rules: Click "Add rule"

Add this inbound rule:

Type	Protocol	Port	Source	Description
All traffic	All	All	helium-alb-sg	Allow traffic from ALB

How to select security group as source:
In the "Source" field, start typing "helium-alb-sg" and select it from the dropdown. This allows traffic only from the ALB security group.

5

Outbound rules: Leave default (All traffic to 0.0.0.0/0)
6

Click "Create security group"

4.3

Create ElastiCache Security Group

This security group controls access to your Redis cache.

Console Navigation

VPC Dashboard Security groups Create security group

1

Security group name: helium-elasticache-sg
2

Description: Security group for ElastiCache Redis
3

VPC: Select helium-production-vpc
4

Inbound rules: Click "Add rule"

Add this inbound rule:

Type	Protocol	Port	Source	Description
Custom TCP	TCP	6379	helium-ecs-task-sg	Allow Redis from ECS tasks

5

Outbound rules: Leave default
6

Click "Create security group"

Step 5: Create ECR Repositories

What is ECR?
Amazon Elastic Container Registry (ECR) is where you store your Docker images. Think of it like Docker Hub, but private and integrated with AWS.

5.1

Create Backend Repository

Console Navigation

AWS Console Search "ECR" Elastic Container Registry Get started (or Create repository)

1

Visibility settings: Select "Private"
2

Repository name: helium-backend
3

Tag immutability: Select "Enabled"

Prevents image tags from being overwritten
4

Scan on push: Check "Enabled"

Automatically scans images for vulnerabilities
5

Encryption: Select "AES-256"
6

Click "Create repository"

Repository Created! Copy the repository URI - you'll need it for pushing Docker images.

5.2

Set Up Lifecycle Policy

Lifecycle policies automatically delete old images to save storage costs.

Console Navigation

ECR Repositories helium-backend Lifecycle policy tab

1

Click "Create rule"
2

Rule priority: 1
3

Rule description: Keep last 10 images
4

Image status: Select "Any"
5

Match criteria: "Image count more than" = 10
6

Click "Save"

Why Lifecycle Policies?

Without lifecycle policies, old images accumulate and increase storage costs. This policy keeps only the 10 most recent images and automatically deletes older ones.

Step 6: Enable CloudTrail

What is CloudTrail?
CloudTrail records all API calls made in your AWS account. It's like a security camera for your AWS account - essential for auditing and compliance.

6.1

Create CloudTrail Trail

Console Navigation

AWS Console Search "CloudTrail" CloudTrail Trails (left sidebar) Create trail

1

Trail name: helium-production-trail
2

Storage location: Select "Create new S3 bucket"
3

Trail log bucket name: helium-cloudtrail-logs-ACCOUNT-ID

Replace ACCOUNT-ID with your AWS account ID
4

Log file SSE-KMS encryption: Check "Enabled"
5

Log file validation: Check "Enabled"

Ensures logs haven't been tampered with
6

CloudWatch Logs: Check "Enabled"
7

Log group: Select "New"
8

Log group name: /aws/cloudtrail/helium-production
9

Click "Next"
10

Event type: Keep defaults (Management events, Read and Write)
11

Click "Next" → Review → "Create trail"

Phase 1 Verification Checklist

Before proceeding to Phase 2, verify all these items are complete:

AWS account created and activated
MFA enabled on root account
IAM admin user created (helium-admin)
MFA enabled on admin user
Access keys created and saved securely
Cost Explorer enabled
Budget alerts configured
VPC created with 2 AZs
Public subnets created (2)
Private subnets created (2)
Isolated subnets created (2)
Internet Gateway attached
NAT Gateways created (2)
Route tables configured
ALB security group created
ECS task security group created
ElastiCache security group created
ECR repository created (helium-backend)
ECR lifecycle policy configured
CloudTrail enabled and logging

🎉 Phase 1 Complete!
You've successfully set up the foundation for your AWS infrastructure. You're ready to move to Phase 2: Backend Deployment!