Slides for the AWS Meetup - MN September 2017

1. Top 23 Things NOT to Do in
AWS
AWS MN Meetup – September 2017
Ervan Setiawan
Senior Architect, Cloud Center of Excellence

3. “A Successful Person Will Profit From
Their Mistakes And Try It Again In a
Different Way”

4. “A Successful Person Will Profit From
Somebody Else’s Mistakes And Try It
Again In a Different Way”

5. Mistake #1: AWS Credentials in Code Repository

6. Mistake #1: AWS Credentials in Code Repository
What can you do with an AWS access token and secret key?

7. Mistake #1: AWS Credentials in Code Repository
• 1 instance of Windows with SQL Enterprise = $31 / hour
• 10 instances of Windows with SQL Enterprise = $310 / hour
• Delete your EC2 instances
• Delete your databases
• Steal your data

8. Mistake #2: Inbound Rule of 0.0.0.0/0
Profit
• Limit the source of inbound rules to only limited IP ranges, ports and
protocols.
• You can use another security group ID as the traffic source.

9. Mistake #3: launch-wizard-10329840

10. Mistake #4: Infrastructure NOT as a Code
1. I am just going to make this small change and see if that works ..
2. Hmm .. That does not work.
3. Repeat 1 & 2 for the next hour.
4. After an hour: That works! This is easy.
5. This is enough for today.
A month later … $#^@%#%
Profit

11. Mistake #5: The Trap of Over Automation
Profit
1. Is it repeatable?
2. Does it require human intervention?

12. Mistake #6: Not Shutting Down Instances
Monthly Cost of an EC2 instance
t2.micro $14.64
m4.xlarge $585.60
I2.8xlarge $4,992.24
Profit
• Automate instance self destruction as part of the user data.
sudo at -f /usr/local/bin/deletestack.sh now +
${TTL} hours
• Use AWS Config Rules to alert on certain instance types creation
• Auto tag instances with the creator’s email address.
GorillaStack’s AutoTag open source project.

13. Mistake #7: Running out of CPU Credit
Profit
• Monitor CPUCredit and
CPUCreditBalance using CloudWatch
• Scale horizontally if CPUCreditBalance is
low
• Scale vertically (change instance type)
• 1 CPU Credit = 1 minute of 1 vCPU usage at 100%
• t2.micro
Starting CPU Credit = 30 Credits.
Credits earned/hour = 6 Credits.
Base performance = 10%

14. Mistake #8:

15. Mistake #9: 503 Slow Down Errors from S3
• Rapid increase to 300 PUT/LIST/DELETE requests / second or
more than 800 GET requests / second is advised to tell AWS
so they can be prepared.

16. Mistake #10: Not Using S3 Bucket Policy
Bob’s Bucket
Alice’s Bucket
Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bobbucket/*"]
Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::alicebucket/*"]
Effect": "Allow",
"Action": [
"s3:GetObject"],
"Resource": ["arn:aws:s3:::*”]

17. Mistake #10: Not Using S3 Bucket Policy
Bob’s Bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::Bob"
]
},
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bobbucket/*"
}
]
}

18. Mistake #11: Not Using KMS Key Policy
Bob’s Key
Alice’s Key
Effect": "Allow",
"Action": [
”kms:decrypt”
],
"Resource": ["arn:aws:kms:::bobkey”]
Effect": "Allow",
"Action": [
”kms:decrypt”
],
"Resource": ["arn:aws:kms:::alicekey"]
Effect": "Allow",
"Action": [
”kms:*"],
"Resource": ["arn:aws:kms::*”]

19. Mistake #11: Not Using KMS Key Policy
Bob’s Key
Effect": "Allow",
"Principal":
{ "AWS": ”Bob”},
"Action": [
"kms:Decrypt"
]

20. Mistake #12:
Who are ”Authenticated AWS Users”?
Any user that has an AWS account

21. Mistake #13: Misconfigured CNAME to S3 bucket configuration
blackfriday.mydomain.com -> mybucket.s3-website-us-east-1.amazonaws.com

22. Mistake #14: S3 Bucket Names
“The name must be unique across all
existing bucket names in Amazon S3.” -
AWS
Profit
• Don’t assume that the S3 bucket name is available
• Make it configurable

23. Mistake #15: S3 Encryption Setting
Selecting the encryption method makes sure that all future objects in
the S3 will be encrypted - FALSE
Profit
• Make sure to set the x-amz-server-side-encryption header in the PUT
requests.
• Create an S3 bucket policy to reject requests without the header.

24. Mistake #16: Heavy Weight Health Checks
1 instance -> 6 * 3 = 18 health checks / minute
3 instances -> 18 * 3 = 54 health checks / minute
EC2
EC2
EC2
Dependency
ELB AZ1
ELB AZ2
ELB AZ3

25. Mistake #17: Public AMI

26. Mistake #18: Running yum update via Cron Job
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter
must be non-empty

27. Mistake #19: Too Restrictive of Outbound Security Groups
Timeout on http://packages.eu-west-
1.amazonaws.com/2016.09/main/20160901f6a8/x86_64/repodata/repomd.xml
?instance_id=i-0326a960d33aafbeb&region=us-east-1: (28, 'Resolving timed out
after 10521 milliseconds')

28. Mistake #20: Folders in S3

29. Mistake #20: Folders in S3
• There are no hierarchies in S3.
• Flat structure of S3 Objects (Key/Value).

30. Mistake #21: Not All Regions Are Equal

31. Mistake #22: Placeholder

32. Mistake #23: Losing a Data Center
Profit
Deny "aws-portal:*Account” action