AWS DOs and DONTs
Download as PPTX, PDF0 likes121 views
The document outlines best practices and guidelines for using AWS infrastructure effectively, emphasizing the importance of security, automation, and resource management. Key recommendations include using organizational APIs, enabling monitoring tools, and implementing encryption for data at rest and in transit. It advises against certain practices, such as overloading accounts and creating IAM users, while promoting strategies for compliance and governance.
![5 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved.
DO use Organizations API
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": [
"cloudtrail:AddTags",
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:RemoveTags",
"cloudtrail:StartLogging",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail"
],
"Resource": "*"
}]
}](https://image.slidesharecdn.com/webinar-awsdosanddonts-190329073633/85/AWS-DOs-and-DONTs-5-320.jpg)
AWS DOs and DONTs
- 1. Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. AWS DOs and DONâTs Casey Lee, Chief Architect 6/12/2018
- 2. 2 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. Foundation Infrastructure Automation
- 3. 3 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. Foundation Infrastructure Automation
- 4. 4 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DONâT overload accounts ⢠Complex access administration ⢠Larger blast radius ⢠Tricky cost allocation https://aws.amazon.com/blogs/apn/migrating-applications-to-saas-a-minimally-invasive-approach/
- 5. 5 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO use Organizations API https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": [ "cloudtrail:AddTags", "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "cloudtrail:RemoveTags", "cloudtrail:StartLogging", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": "*" }] }
- 6. 6 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO use a separate toolchain account https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/
- 7. 7 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DONâT create IAM users
- 8. 8 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO use federation https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html
- 9. 9 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO enable CLI access https://aws.amazon.com/blogs/security/how-to-implement-a-general-solution-for-federated-apicli-access-using-saml-2-0/
- 10. 10 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO enable CloudTrail https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/
- 11. 11 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO enable VPC flow logs https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/
- 12. 12 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO enable GuardDuty
- 14. 14 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DONâT use public subnets http://jayendrapatil.com/aws-vpc-nat/
- 15. 15 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO consider a forward proxy https://aws.amazon.com/answers/networking/controlling-vpc-egress-traffic/
- 16. 16 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO consider a egress transit VPC https://aws.amazon.com/answers/networking/controlling-vpc-egress-traffic/
- 17. 17 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO use VPC endpoints https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpce-gateway.html
- 18. 18 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO encrypt at rest PolicyDocument: Version: '2012-10-17' Statement: - Sid: RequireEncryption Effect: Deny Principal: '*' Action: s3:PutObject Resource: arn:aws:s3:::my-bucket-name/* Condition: StringNotEquals: s3:x-amz-server-side-encryption: aws:kms
- 19. 19 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO encrypt in transit
- 20. 20 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DONâT launch instances without ASG https://www.slideshare.net/AmazonWebServices/set-it-and-forget-it-auto-scaling-target-tracking-policies-aws-online-tech-talks
- 21. 21 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO use target tracking policies https://www.slideshare.net/AmazonWebServices/set-it-and-forget-it-auto-scaling- target-tracking-policies-aws-online-tech-talks
- 22. 22 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO use SSM parameter store https://www.slideshare.net/AlexMattson/secrets-management-with-ec2-systems-manager-parameter-store
- 24. 24 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DONâT click the button
- 25. 25 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DONâT reinvent automation tools https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-howdoesitwork.html
- 26. 26 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO use policies in CloudFormatoin Resource level policiesStack level policies
- 27. 27 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO use changesets https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-howdoesitwork.html
- 28. 28 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DONâT overload stacks
- 29. 29 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DONâT go 100% bake or boot for AMI https://aws.amazon.com/answers/configuratio n-management/aws-ami-design/
- 30. 30 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO prefer containers over instances https://platform9.com/blog/kubernetes-vs-ecs/
- 31. 31 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO governance via Service Catalog https://www.slideshare.net/AmazonWebServices/aws-service-catalog
- 32. 32 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO assess security in pipelines https://stelligent.com/2016/04/05/continuous-security/
- 33. 33 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO automated compliance - name: s3-event-global-access mode: type: cloudtrail events: - source: s3.amazonaws.com ids: requestParameters.bucketName event: PutBucketAcl runtime: python3.6 resource: s3 filters: - type: global-grants actions: - delete-global-grants - name: create-bucket-autotag mode: type: cloudtrail events: - source: s3.amazonaws.com ids: requestParameters.bucketName event: CreateBucket runtime: python3.6 resource: s3 filters: - tag:Owner: absent actions: - type: auto-tag-user tag: Owner Disable all global-grants Auto tag with Owner Cloud Custodian
- 35. 35 Š Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved. DO make it your own https://www.lifegate.com/people/lifestyle/kintsugi
- 37. stelligent.com