Deploy Laravel to AWS via Console (Part 0): Prerequisites — AWS Account, IAM & Billing Setup

This series guides you through deploying Laravel to AWS entirely via the AWS Console — no terminal, no CLI needed. Every action is click-by-click in the browser.

If you've seen the Deploy Laravel to AWS series (CLI version), the architecture and end result are identical. The only difference is how you get there: Console instead of command line.

Who should read this? You prefer visual interfaces, want to see every setting before creating resources, or simply aren't comfortable with the terminal yet. This series is for you.

1. Create an AWS Account

1. Open your browser, go to aws.amazon.com
2. Click "Create an AWS Account" (orange button, top right)
3. Fill in:
   • Email: Use a work email or a dedicated email for AWS (not your personal one)
   • Account name: e.g., My Laravel Production
4. Verify email via OTP code
5. Set a root user password (strong, saved in a password manager)
6. Choose Personal or Business account (both work)
7. Enter payment info (credit/debit card — won't be charged within Free Tier)
8. Verify phone number (SMS or call)
9. Select Basic Support - Free
10. Done — wait a few minutes for activation

Free Tier — 12 Months Free

Warning: Anything beyond Free Tier will be charged. We'll set up billing alerts below.

2. Secure the Root Account

The root account has unlimited access to everything. Never use it for daily work.

Enable MFA for Root

1. Sign in to AWS Console with root email
2. Click account name (top right) → Security credentials
3. Scroll to Multi-factor authentication (MFA)
4. Click "Assign MFA device"
5. Name: root-mfa
6. Choose Authenticator app
7. Click "Show QR code"
8. Open authenticator app on phone (Google Authenticator, Authy, etc.) → scan QR
9. Enter two consecutive MFA codes (wait for first to expire, enter second)
10. Click "Add MFA"

Root is now protected. Every root login will require MFA.

Rule: Only use root for billing management and creating IAM users. Everything else uses IAM users.

3. Create an IAM User

3a. Open IAM Console

1. Top search bar → type "IAM" → click IAM (not IAM Identity Center)
2. Left menu → Users
3. Click "Create user"

3b. User Details

Click Next.

3c. Assign Permissions

1. Select "Attach policies directly"
2. Search and check each policy:

3. Click Next → Create user

Production tip: In real environments, use custom policies with least privilege. FullAccess policies are convenient for learning but too broad.

3d. Save Console Login Info

After creation, AWS shows:

• Console sign-in URL: https://123456789012.signin.aws.amazon.com/console
• User name: laravel-deployer
• Password: the one you set

Save the Console sign-in URL — you'll use this instead of the main AWS page.

3e. Enable MFA for IAM User

1. IAM → Users → laravel-deployer
2. Security credentials tab
3. Multi-factor authentication (MFA) → Assign MFA device
4. Same process as root: scan QR, enter two codes
5. Done

3f. Sign In as IAM User

1. Sign out of root
2. Go to the Console sign-in URL (step 3d)
3. Enter Account ID, User name: laravel-deployer, Password
4. Enter MFA code
5. You're in the Console as IAM user

From now on, every action in this series is performed as IAM user laravel-deployer.

4. Set Up Billing Alerts

4a. Enable IAM Billing Access

By default, only root can view billing:

1. Sign in as root
2. Click account name → Account
3. Scroll to IAM user and role access to Billing information
4. Click Edit → check Activate IAM Access → Update

4b. Create Budget

1. Sign back in as laravel-deployer
2. Search bar → "Budgets" → AWS Budgets
3. Click "Create budget"
4. Template: "Zero spend budget"
   • Budget name: zero-spend-alert
   • Email recipients: your email
5. Create budget

4c. Additional Budget (Optional)

1. Create budget → "Monthly cost budget"
2. Amount: $50 (or your limit)
3. Alert thresholds: 50%, 80%, 100%
4. Create budget

5. Choose Region

1. Top right corner of Console, next to account name
2. Click the current region name
3. Select your region:

This series uses ap-northeast-1 (Tokyo).

Important: Each region is independent. Resources created in Tokyo won't appear in Singapore. Always verify your region before creating anything.

6. Core AWS Concepts

Region & Availability Zone (AZ)

AWS Cloud
├── ap-northeast-1 (Tokyo Region)
│   ├── ap-northeast-1a (AZ-a)
│   ├── ap-northeast-1c (AZ-c)
│   └── ap-northeast-1d (AZ-d)
├── us-east-1 (Virginia Region)
│   └── ...
└── ...

• Region: Geographic area. Services and data stay in your chosen region.
• AZ: Isolated data centers within a region. Multiple AZs = high availability.

VPC (Virtual Private Cloud)

Your private network inside AWS. Think of it as an office building — you control who gets in, which rooms connect, and which face the internet.

Subnet

A "room" inside VPC:

• Public subnet: Has internet access (load balancers, web servers)
• Private subnet: No direct internet access (databases, cache — more secure)

Security Group

A virtual firewall for each resource:

Security Group for EC2:
  Inbound:  Port 80 only from ALB
  Inbound:  Port 22 only from your IP
  Outbound: All traffic

Security Group for RDS:
  Inbound:  Port 3306 only from EC2
  Outbound: None needed

IAM Role (vs IAM User)

• IAM User: For humans. Long-lived passwords or access keys.
• IAM Role: For AWS services (EC2, Lambda). Temporary, auto-rotating credentials. More secure.

In this series, EC2 will use an IAM Role to access S3 — no access keys stored on the server.

Checklist Before Part 1

• AWS account created and activated
• MFA enabled for root
• IAM user laravel-deployer created with policies
• MFA enabled for IAM user
• Signed in to Console as IAM user
• Billing alerts configured
• Region set to ap-northeast-1
• Understood: Region, AZ, VPC, Subnet, Security Group

Ready? Let's build the network.

Series Navigation:

• Part 0: Prerequisites (You are here)
• Part 1: Architecture & VPC →
• Part 2: EC2 & Amazon Linux 2023 →
• Part 3: RDS, S3 & ElastiCache →
• Part 4: ALB, CloudFront & SSL →
• Part 5: CI/CD & Zero-Downtime Deploy →