"If you knew then what you know now you would do things (better, different, etc)."
Learning Amazon Web Services is fun. It is exciting to start learning new services and apply them to the solutions you are building. You can learn fast if you are focusing on the problem you are trying to solve.
This post is your proverbial "monkey wrench" in your learning wheel.
Stop for a second. Make sure you have set yourself up not only for more learning but future scaling and security. Below is a collection of community based best practices around your new AWS account. You should take a break from writing all your exciting features and see if you have done these.
1. Turn Multi Factor Authentication (MFA) On For Your Root Account
When you create your Amazon Web Services account you are creating a 'root' account. This root identity has all the power in your account. It can access all AWS services and resources.
Because this account has so much power it is best practice to lock it down. A good step in that direction is to enable an MFA on this account. AWS offers virtual, physical, and SMS text message MFA delivery mechanisms. Either one is a suitable answer based on your needs.
You may choose the virtual MFA via an app on your phone. The disadvantage is now a compromised phone has access to your MFA tokens. You may choose the physical device. The disadvantage is that it must you have to secure it somewhere safe and not lose it.
Any option will have a disadvantage, but an MFA on your root account is going to be a huge security win. Bonus points, it's a common question on AWS certification exams.
2. Great! Now Stop Using Your Root Account
Ok, you have configured MFA for your root account? Now stop using it. Create a new user in IAM that has the BillingPolicy
and AdministratorAccess
policies. Generate a unique password for that account and enable MFA on that new account as well. Generate your CLI keys for this user. Delete any CLI keys your root account has.
Once you have done that you can now sign in as that IAM user and quit accessing your root account all together.
3. Set A Billing Alarm For What You Expect To Spend
You secured your root account and you now have a user that you can sign into your account with. Look at you improving things already.
The biggest thing I have seen folks new to AWS overlook is their billing setup. Most services are inexpensive during your learning. If your account is brand new you also have an entire year of "free tier" eligibility. But, if you become hooked on AWS you will pass the learning phase and burn through your free tier.
If you think this is likely going to be you, avoid the holy sh** AWS bills. Configure your billing alarm to send you an email when you cross a threshold that is more than you can afford. The AWS documentation for turning this on is here.
Conclusion
This is not a comprehensive list. These three things are what all accounts should do out of the gate. Consider these as well if you are looking to launch a product or service with this account.
- Create a non-default VPC with private and public subnets.
- Create fine grain security groups that can be added/removed from instances.
- Consider spinning up a bastion host that allows access via SSH/RDP that you can use to jump to another instance.
- Setup CloudTrail logs on your root account to detect if there has been access you were not expecting.
- Consider turning CloudTrail logs on for any regions you are going to be using. Even if you have no have plans of searching them right now they are nice to have in the event you need them.
- Rotate IAM keys on a regular (but not predictable) cadence.
- Use CloudFormation for everything you can. Starting with CloudFormation templates is much easier out of the gate than doing it later.
Hungry To Learn Amazon Web Services?
There is a lot of people that are hungry to learn Amazon Web Services. Inspired by this fact I have created a course focused on learning Amazon Web Services by using it. Focusing on the problem of hosting, securing, and delivering static websites. You learn services like S3, API Gateway, CloudFront, Lambda, and WAF by building a solution to the problem.
There is a sea of information out there around AWS. It is easy to get lost and not make any progress in learning. By working through this problem we can cut through the information and speed up your learning. My goal with this book and video course is to share what I have learned with you.
Sound interesting? Check out the landing page to learn more and pick a package that works for you, here.
Top comments (5)
"Use CloudFormation for everything you can. Starting with CloudFormation templates is much easier out of the gate than doing it later."
+1000 to this, whether it's CF or Terraform or something else. AWS config drifts fast, especially if you're on a team. Version control that shit.
100% agree. If I could go back in time on some projects. Starting with any kind of infrastructure as a service will make your life a lot easier in the long run. Any tools you suggest for CF templates outside of writing them by hand?
I generally don’t like dealing with CF at all, so abstract it with either terraform or use Ansible/Boto scripting to orchestrate.
Thinking this is a typo: "You secured your toot account"
Thanks for the catch Omar!