Deploy Laravel to AWS (Part 0): Prerequisites — AWS Account, IAM & CLI Setup

· 5 min read
#aws #iam #cli #beginners #laravel #series

This series assumes you have a working Laravel app and basic terminal knowledge. No AWS experience required. This Part 0 covers everything you need before Part 1.

If you already have an AWS account with CLI configured, skip to Part 1.

1. Create an AWS Account

Go to aws.amazon.comCreate an AWS Account.

You'll need:

  • Email address (use a dedicated one, not personal)
  • Credit card (you won't be charged if you stay within Free Tier)
  • Phone number for verification

Free Tier — What You Get Free for 12 Months

Service Free Tier Limit
EC2 750 hours/month of t2.micro or t3.micro
RDS 750 hours/month of db.t3.micro
S3 5 GB storage
CloudFront 1 TB data transfer
ElastiCache 750 hours of cache.t3.micro

Warning: Anything outside Free Tier gets billed. We'll set up billing alerts below.

2. Secure the Root Account

The root account has unlimited access to everything. Never use it for daily work.

Enable MFA on Root

  1. Sign in as root → IAMDashboard
  2. Click "Add MFA" under Security recommendations
  3. Choose Authenticator app (Google Authenticator, Authy, etc.)
  4. Scan the QR code and enter two consecutive codes
  5. Done — root account is now protected

Rule: After this, you will only sign in as root to manage billing or create IAM users. Never use root for CLI or deployments.

3. Create an IAM User

IAM (Identity and Access Management) lets you create users with specific permissions.

3a. Create the User

IAM → Users → Create user:

  • User name: laravel-deployer
  • Access type: Check "Provide user access to the AWS Management Console" (optional, for Console access)
  • Click Next

3b. Attach Permissions

Choose "Attach policies directly" and add these managed policies:

AmazonEC2FullAccess
AmazonRDSFullAccess
AmazonS3FullAccess
AmazonVPCFullAccess
ElasticLoadBalancingFullAccess
CloudFrontFullAccess
AmazonRoute53FullAccess
AmazonElastiCacheFullAccess
AWSCertificateManagerFullAccess

Production tip: In a real team environment, create custom policies with minimum required permissions. FullAccess policies are convenient for learning but overly broad.

3c. Create Access Key

After the user is created:

  1. IAM → Users → laravel-deployer → Security credentials
  2. Create access key
  3. Use case: "Command Line Interface (CLI)"
  4. Confirm and click Create
  5. Save both values immediately — the Secret Access Key is shown only once:
Access Key ID:     AKIAIOSFODNN7EXAMPLE
Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Never commit these to git. Never put them in your Laravel .env that gets committed. Never share them in Slack/Discord.

4. Install AWS CLI

macOS

brew install awscli

Linux (Ubuntu/Debian)

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
rm -rf awscliv2.zip aws/

Windows

Download the MSI installer from the AWS CLI install page.

Verify Installation

aws --version
# aws-cli/2.x.x Python/3.x.x ...

5. Configure AWS CLI

aws configure

It will prompt for 4 values:

AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: ap-northeast-1
Default output format [None]: json

Region: Choose the region closest to your users. This series uses ap-northeast-1 (Tokyo). Common options:

  • ap-northeast-1 — Tokyo
  • ap-southeast-1 — Singapore
  • us-east-1 — N. Virginia (cheapest, most services)
  • eu-west-1 — Ireland

Verify It Works

aws sts get-caller-identity

Expected output:

{
    "UserId": "AIDAIOSFODNN7EXAMPLE",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/laravel-deployer"
}

If you see your account info, you're ready.

6. Set Up a Billing Alarm

Don't get surprised by unexpected charges.

Via Console (Easiest)

  1. Go to Billing → Budgets → Create budget
  2. Choose "Zero spend budget" (alerts when anything is charged)
  3. Enter your email
  4. Create

Via CLI

# First, create an SNS topic for notifications
aws sns create-topic --name billing-alerts --region us-east-1

# Subscribe your email
aws sns subscribe \
  --topic-arn arn:aws:sns:us-east-1:YOUR_ACCOUNT_ID:billing-alerts \
  --protocol email \
  --notification-endpoint your-email@example.com \
  --region us-east-1

# Confirm the subscription email that arrives in your inbox

Note: Billing alarms must be created in us-east-1 regardless of your default region.

7. Core AWS Concepts

Before Part 1, understand these building blocks:

Region & Availability Zone (AZ)

AWS Cloud
├── ap-northeast-1 (Tokyo Region)
│   ├── ap-northeast-1a (AZ-a)  ← A physical data center
│   ├── ap-northeast-1c (AZ-c)  ← Another data center
│   └── ap-northeast-1d (AZ-d)
├── us-east-1 (Virginia Region)
│   ├── us-east-1a
│   └── ...
└── ...
  • Region: Geographic area (Tokyo, Singapore, etc.). Services and data stay in the region you choose.
  • AZ: Isolated data centers within a region. Using multiple AZs = high availability.

VPC (Virtual Private Cloud)

Your own private network inside AWS. Think of it as your office building — you control who enters, which rooms connect to each other, and which rooms face the internet.

Subnet

A "room" inside your VPC:

  • Public subnet: Has internet access (load balancers, bastion hosts)
  • Private subnet: No direct internet access (databases, cache — more secure)

Security Group

A firewall for each resource. Rules define which traffic is allowed in and out:

EC2 Security Group:
  Inbound:  Port 80 from ALB only
  Inbound:  Port 22 from your IP only
  Outbound: All traffic

RDS Security Group:
  Inbound:  Port 3306 from EC2 only
  Outbound: None needed

IAM Role (vs IAM User)

  • IAM User: For humans (you). Has long-lived access keys.
  • IAM Role: For AWS services (EC2, Lambda). Temporary credentials, auto-rotated. More secure.

In this series, EC2 will use an IAM Role to access S3, so no access keys are stored on the server.

8. Tools You'll Need Locally

Tool Purpose Install
AWS CLI Manage AWS resources See above
SSH client Connect to EC2 Built into macOS/Linux
Text editor Edit configs VS Code, Vim, etc.
Git Version control brew install git / apt install git

Checklist Before Part 1

  • AWS account created
  • MFA enabled on root account
  • IAM user laravel-deployer created with access key
  • AWS CLI installed and aws configure done
  • aws sts get-caller-identity returns your account info
  • Billing alarm set up
  • You understand: Region, AZ, VPC, Subnet, Security Group

All set? Let's build the infrastructure.

Series Navigation:

Comments