Skip to content

Best Pratices

High Level Documentation

Link Notes
Security Pillar of the Well-Architected Framework Best practices and guidance
AWS Ramp-Up Guide: Security Learning plan to teach cloud security, governance, and compliance developments
AWS Security Reference Architecture (AWS SRA) Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations
OG-AWS Amazon Web Services — a practical guide

Operational Guides

Link Notes
Summit Route AWS Exposable Resources Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts
Summit Route AWS Security Tools Comparison Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper
AWS Control Tower By Example Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices
CloudConformity List of manual checks/audit
Kubernetes multi tenancy with Amazon EKS: Best practices and considerations Some considerations for Kubernetes multi tenancy implementation using Amazon EKS, covering different perspectives around compute, networking, and storage.
Bastion Hosts
Top 10 security best practices for securing data in Amazon S3 The latest S3 features and AWS services that you can use to help secure your data in S3

IAM

Link Notes
Permissions Reference for AWS IAM A website built in order to provide an alternate, community-driven source of truth for AWS identity
Summit Route How to audit AWS IAM and resource policies
    Some general rules:
    • Beware that anything with Allow and Principal "*" is public
    • Never use Allow with NotPrincipal
    • Never use Allow with NotAction
Top ten AWS identity health checks to improve security in the cloud Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes

Cost Optimization

Link Notes
Cloud Cost Handbook Set of guides meant to help explain often-times complex pricing of public cloud infrastructure and service providers in easy-to-understand terms
My Comprehensive Guide to AWS Cost Control
  • Stage 1: Track Cost
  • Stage 2: Reduce Cost
  • Stage 3: Include Cost In Your Process
AWS Cost Allocation Guide: Tagging Best Practices
  • Hierarchical Account Separation
  • Brand Accounts
  • Third-Party Tools
  • How can you audit compliance?
Cost Monitoring and Governance With Kubecost Dedicated Cluster VS dedicated Node VS dedicated Namespace
Overview of Data Transfer Costs for Common Architectures Potential data transfer charges you may encounter while operating your workload on AWS

Backups

Link Notes
Automated Github Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier
Automated GDrive Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier

Ransomware Prevention

Link Notes
S3 Ransomware
Summit Route S3 backups and other strategies for ensuring data durability through ransomware attacks Options for ensuring the durability of data stored on S3, through protections in place and backup strategies
Protecting Amazon S3 Data from Ransomware Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
Ransomware mitigation: Top 5 protections and recovery preparation actions
  • Set up the ability to recover your apps and data
  • Encrypt your data
  • Apply critical patches
  • Follow a security standard
  • Make sure you're monitoring and automating responses
Ransomware Risk Management on AWS using the NIST CSF Implementation of security controls to manage the risks associated with ransomware and other destructive events using the NIST cybersecurity framework

Root Principal

Link Notes
Summit Route Managing AWS root passwords and MFA How not use the root user account, and how to manage the credentials (password and MFA) for the root user effectively
Security Implication of Root principal in AWS An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs

Other Writeups

Link Notes
Summit Route Denial of Wallet Attacks on AWS
Hardening AWS EKS security with RBAC, secure IMDS, and audit logging How small misconfigurations or unwanted side-effects may put clusters at risk
Remediating AWS IMDSv1 How to remediate IMDSv1 in AWS
Back to top