6. Mistake #1: AWS Credentials in Code Repository
What can you do with an AWS access token and secret key?
7. Mistake #1: AWS Credentials in Code Repository
• 1 instance of Windows with SQL Enterprise = $31 / hour
• 10 instances of Windows with SQL Enterprise = $310 / hour
• Delete your EC2 instances
• Delete your databases
• Steal your data
8. Mistake #2: Inbound Rule of 0.0.0.0/0
Profit
• Limit the source of inbound rules to only limited IP ranges, ports and
protocols.
• You can use another security group ID as the traffic source.
10. Mistake #4: Infrastructure NOT as a Code
1. I am just going to make this small change and see if that works ..
2. Hmm .. That does not work.
3. Repeat 1 & 2 for the next hour.
4. After an hour: That works! This is easy.
5. This is enough for today.
A month later … $#^@%#%
Profit
11. Mistake #5: The Trap of Over Automation
Profit
1. Is it repeatable?
2. Does it require human intervention?
12. Mistake #6: Not Shutting Down Instances
Monthly Cost of an EC2 instance
t2.micro $14.64
m4.xlarge $585.60
I2.8xlarge $4,992.24
Profit
• Automate instance self destruction as part of the user data.
sudo at -f /usr/local/bin/deletestack.sh now +
${TTL} hours
• Use AWS Config Rules to alert on certain instance types creation
• Auto tag instances with the creator’s email address.
GorillaStack’s AutoTag open source project.
13. Mistake #7: Running out of CPU Credit
Profit
• Monitor CPUCredit and
CPUCreditBalance using CloudWatch
• Scale horizontally if CPUCreditBalance is
low
• Scale vertically (change instance type)
• 1 CPU Credit = 1 minute of 1 vCPU usage at 100%
• t2.micro
Starting CPU Credit = 30 Credits.
Credits earned/hour = 6 Credits.
Base performance = 10%
15. Mistake #9: 503 Slow Down Errors from S3
• Rapid increase to 300 PUT/LIST/DELETE requests / second or
more than 800 GET requests / second is advised to tell AWS
so they can be prepared.
22. Mistake #14: S3 Bucket Names
“The name must be unique across all
existing bucket names in Amazon S3.” -
AWS
Profit
• Don’t assume that the S3 bucket name is available
• Make it configurable
23. Mistake #15: S3 Encryption Setting
Selecting the encryption method makes sure that all future objects in
the S3 will be encrypted - FALSE
Profit
• Make sure to set the x-amz-server-side-encryption header in the PUT
requests.
• Create an S3 bucket policy to reject requests without the header.
26. Mistake #18: Running yum update via Cron Job
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter
must be non-empty
27. Mistake #19: Too Restrictive of Outbound Security Groups
Timeout on http://packages.eu-west-
1.amazonaws.com/2016.09/main/20160901f6a8/x86_64/repodata/repomd.xml
?instance_id=i-0326a960d33aafbeb®ion=us-east-1: (28, 'Resolving timed out
after 10521 milliseconds')