AWS DOs and DONTs

© Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved.
AWS DOs and DON’Ts
Casey Lee, Chief Architect
6/12/2018

2 © Copyright 2007-2018 Stelligent Systems, llc. All Rights Reserved.
Foundation Infrastructure Automation

DON’T overload accounts
• Complex access administration
• Larger blast radius
• Tricky cost allocation
https://aws.amazon.com/blogs/apn/migrating-applications-to-saas-a-minimally-invasive-approach/

DO use Organizations API
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": [
"cloudtrail:AddTags",
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:RemoveTags",
"cloudtrail:StartLogging",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail"
],
"Resource": "*"
}]
}

DO use a separate toolchain account
https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

DON’T create IAM users

DO use federation
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html

DO enable CLI access
https://aws.amazon.com/blogs/security/how-to-implement-a-general-solution-for-federated-apicli-access-using-saml-2-0/

DO enable CloudTrail
https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

DO enable VPC flow logs
https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/

DO enable GuardDuty

DON’T use public subnets
http://jayendrapatil.com/aws-vpc-nat/

DO consider a forward proxy
https://aws.amazon.com/answers/networking/controlling-vpc-egress-traffic/

DO consider a egress transit VPC
https://aws.amazon.com/answers/networking/controlling-vpc-egress-traffic/

DO use VPC endpoints
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpce-gateway.html

DO encrypt at rest
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: RequireEncryption
Effect: Deny
Principal: '*'
Action: s3:PutObject
Resource: arn:aws:s3:::my-bucket-name/*
Condition:
StringNotEquals:
s3:x-amz-server-side-encryption: aws:kms

DO encrypt in transit

DON’T launch instances without ASG
https://www.slideshare.net/AmazonWebServices/set-it-and-forget-it-auto-scaling-target-tracking-policies-aws-online-tech-talks

DO use target tracking policies
https://www.slideshare.net/AmazonWebServices/set-it-and-forget-it-auto-scaling-
target-tracking-policies-aws-online-tech-talks

DO use SSM parameter store
https://www.slideshare.net/AlexMattson/secrets-management-with-ec2-systems-manager-parameter-store

DON’T click the button

DON’T reinvent automation tools
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-howdoesitwork.html

DO use policies in CloudFormatoin
Resource level policiesStack level policies

DO use changesets
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-howdoesitwork.html

DON’T overload stacks

DON’T go 100% bake or boot for AMI
https://aws.amazon.com/answers/configuratio
n-management/aws-ami-design/

DO prefer containers over instances
https://platform9.com/blog/kubernetes-vs-ecs/

DO governance via Service Catalog
https://www.slideshare.net/AmazonWebServices/aws-service-catalog

DO assess security in pipelines
https://stelligent.com/2016/04/05/continuous-security/

DO automated compliance
- name: s3-event-global-access
mode:
type: cloudtrail
events:
- source: s3.amazonaws.com
ids:
requestParameters.bucketName
event: PutBucketAcl
runtime: python3.6
resource: s3
filters:
- type: global-grants
actions:
- delete-global-grants
- name: create-bucket-autotag
mode:
type: cloudtrail
events:
- source: s3.amazonaws.com
ids:
requestParameters.bucketName
event: CreateBucket
runtime: python3.6
resource: s3
filters:
- tag:Owner: absent
actions:
- type: auto-tag-user
tag: Owner
Disable all global-grants Auto tag with Owner
Cloud Custodian

DO make it your own
https://www.lifegate.com/people/lifestyle/kintsugi

AWS DOs and DONTs

More Related Content

Similar to AWS DOs and DONTs

More from Casey Lee

Recently uploaded

AWS DOs and DONTs