DEV Community: Rola Dali

Did You Know? AWS profiles

Rola Dali — Wed, 29 Mar 2023 13:51:22 +0000

Do you have multiple accounts and are starting to use the CLI?

Use AWS named profiles for the AWS CLI to interact with different accounts.

Using named profiles:

To set up a new profile:

aws configure --profile myprodprofile

To use a specific profile:

aws s3 ls s3://mybucket --profile myprodprofile

Reference

Now you can store credentials from many accounts and use them in the same session!

Reference

Now You Know!

Did You Know? Multi-Account creation

Rola Dali — Wed, 29 Mar 2023 13:49:07 +0000

Looking to create multiple AWS accounts but only have one gmail?

If you have a gmail account, for example myemail@gmail.com, appending a "+" sign to that account will result in an address that still delivers mail to your original account. You can also do this by adding "." anywhere in the email since gmail ignores ".".
This will allow you to have multiple AWS accounts under the same email account.

Use this to create multiple AWS accounts that all pool into the same gmail account.

Example:

myemail@gmail.com ==> Main AWS account.
myemail+prod@gmail.com ==> Production AWS account.
myemail+dev@gmail.com ==> Development AWS account.
myemail+test@gmail.com ==> Testing AWS account.

Use this trick to separate your development projects or to experiment with AWS organizations or multi-account access!

Reference

Now You Know!

Did You Know? Lambda Warm start

Rola Dali — Wed, 29 Mar 2023 13:45:21 +0000

Lambda Warm start

Lambda uses the same execution environment for separate invocations of the same function.

This process, called "warm start", is great because it means that consecutive runs of your function are faster than the first invocation. However, you need to be careful about Global variables and the possibility that what is thought of as an isolated run might not be as isolated as you thought.

Reference

Now You Know!

Did You Know? IAM precedence

Rola Dali — Wed, 29 Mar 2023 13:42:59 +0000

Do you have several AWS credentials and are confused which one is being used?

AWS has a defined Default Credential Provider Chain which dictates the order of which credentials it uses in the case where there are several.

The Default Credential Provider Chain Order for Java SDK is:

Environment variables: "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY".
Java system properties: aws.accessKeyId and aws.secretAccessKey.
Web Identity Token credentials from the environment or container.
The default credential profiles file: typically located at ~/.aws/credentials
Amazon ECS container credentials: loaded from the Amazon ECS if the environment variable AWS_\CONTAINER_CREDENTIALS_RELATIVE_URI is set.
Instance profile credentials: used on EC2 instances, and delivered through the Amazon EC2 metadata service.

Reference

Now You Know!

Did You Know? AWS Budgets

Rola Dali — Wed, 29 Mar 2023 13:38:43 +0000

Ever forgotten to delete a resource you were experimenting with on AWS and got an unpleasant bill at the end of the month?

Reduce the chances of that happening by setting up a budget on all your accounts. You can receive notifications when your reach certain thresholds as Well!

Setting a budget:

To create a cost budget:

Sign in to the AWS Management console.
Open the AWS Cost Management console.
In the navigation pane, choose "Budgets".
At the top of the page, choose "Create budget".
Fill in the form and Save changes!
Sleep better knowing your money is safe from mistakes!

Reference

Now you have notifications that alert you if your spending threshold is reached!

Reference

Now You Know!

Did You Know? Account Aliases

Rola Dali — Wed, 29 Mar 2023 13:34:26 +0000

Having a hard time remembering your AWS 12 Digit account ID?

You can create an account Alias that would be a lot easier to remember!

Via the CLI

To create a new alias:

aws iam create-account-alias --account-alias mynewalias

To list account aliases:

aws iam list-account-aliases

To delete account aliases:

aws iam delete-account-alias

Reference

Via the AWS Console

Sign in to the AWS Management Console.
Open the IAM console.
In the navigation pane, choose Dashboard.
In the right-hand pane under AWS account, choose Customize. If an alias already exists, then choose Edit.
Save changes.

Now you can use your Alias to sign into your account and can avoid the 12 Digit ID!

Reference

Now You Know!

AWS account best practices

Rola Dali — Wed, 29 Mar 2023 13:14:30 +0000

This is a living document that will keep growing to highlight AWS Best Practices!

Create an admin user and avoid using the root account

The root user has full privileges to the AWS account. For security purposes, it is recommended to limit the use of the root account. For daily processes, you can set up an administrator account instead.

Reference

Enable MFA on user sign-ins, especially for the root user

Multi-factor Authentication (MFA) allows you to secure your accounts and reduces the risk of being hacked.

Reference

Grant Least Privilege Access Required

For better security, set up your IAM policies to allow only the required tasks.

Reference

Set Up AWS budgets and account monitoring

To avoid unexpected bills, add budgets and notifications on each account.

Reference

AWS Services that help with Account Management

Rola Dali — Wed, 29 Mar 2023 13:05:59 +0000

I have been delving more and more into AWS for the last few years. I am quite impressed with the number of services and capabilities available for both small and large teams. Here are a list of tools to be aware of if you are managing your team's AWS account(s).

Monitoring and Governance

AWS cloudtrail

AWS cloudtrail logs all events/API calls made within an AWS account. If you want to trace who deleted the S3 buckets or who created a resource, cloudTrail is a good place to start. AWS CloudTrails is enabled by default but history is retained for only 3 months unless you extend it.

AWS Config

AWS Config assesses, audits and records configuration changes over time. If you want to make sure that ssh ports on all your instances are closed or that none of your S3 buckets have public access, for example, AWS Config is a good resource. AWS Config can trigger notifications when resources become non-compliant with the rules you set. Automated remediation actions can also be set through SSM.

AWS Trusted Advisor

AWS Trusted Advisor asseses your AWS environemnt and provides recommendations based on best practices. It looks into 5 areas:

Cost Optimization
Performance
Security
Fault Tolerance
Service Limits

AWS Trusted Advisor is enabled for all customers for core checks only. All checks are available with Business and Enterprise support plans.

AWS Personal Health Dashboard

While AWS has Health Dashabords that display the health status of its services across the globe, the Personal Health Dashboard is customized with the services your account uses. It also shows upcoming maintenance events.

AWS tagging

AWS allows you to add Key:value tags on most of its resources. Tagging can help you with resource organization, cost allocation, automation and access control.

Automation and standardization

AWS Systems Manager (SSM)

AWS Systems Manager (SSM) is a collection of services that help you manage your operations both on AWS and on-premise. It can be thought of as an operation hub. It can automate software installation on your EC2 and manage patching, as well as many other features.

Cloudfromation and Cloud Development Kit (CDK)

Infrastructure As Code (IaC) is a best practice that reduces manual labor and errors and makes it easier to reproduce/standardize systems. AWS supports IaC through many different languages, with Cloudfromation and CDK being AWS-native.

Cloudformation is based on yaml or json templates. It is powerful but can be painful to write at times. The AWS Cloud Development Kit (CDK) might be more your style if you prefer to write IaC using a programming language instead (6 currently supported: TypeScript, JavaScript, Python, Java, C#/.Net, and Go).

Service Catalog

If you want to curate resources and make templates available to your employees for standardizing tools or to restrict usage to only authorized products, Service Catalog can help!

Billing and Budgets

Cost Explorer

Cost Explorer allows you to visualize and manage your AWS costs and usage. It also allows you to create reports, forecast future usage and analyze usage across accounts or resources with the help of AWS allocation tags.

Savings Plan

AWS has a Savings Plan program that gives you access to better pricing than on-demand pricing when you commit to a certain amount of spending. If much of your workload is on AWS, and you will be getting a bill every month, you might as well commit to what your minimum spending is and get a discount!

AWS budgets

AWS Budgets allow you to set spending limits and create notifications when you are approaching these limits at different thresholds. It is never a good surprise when you forget a costly service on and receive a huge bill. All my AWS accounts have budgets set on them and notifications at 70% thresold.

Multi-Account Management

It has become more and more common for organizations to have several accounts to separate concerns. There are several AWS Services that help with Account Managment.

AWS organizations

AWS Organizations allows you to create a logical grouping of multiple accounts. It helps you centrally manage access policies across accounts, govern access to AWS services, resources and regions and enables consolidated billing which gives you access to pricing benefits from aggregated usage.

AWS Control Tower

AWS Control Tower is AWS Organizations on steroids. AWS Control Tower runs on top of AWS Organizations but adds automation, guardrials and governance.

AWS Resource Access Manager

AWS Resource Access Manager allows you to securely share AWS resources across multiple accounts. If you want to share a VPC, a transit gateway, or other AWS resources, check out AWS RAM!