Skip to content

Best Pratices

High Level Documentation

Link Notes
Security Pillar of the Well-Architected Framework Best practices and guidance
AWS Security Reference Architecture (AWS SRA) Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations
OG-AWS Amazon Web Services — a practical guide
Map the Cloud
  • Find information about public cloud provider regional services availability fast, from AWS, Azure, Google Cloud, CloudFlare and Fastly
  • Get stats of services, regions and edge locations
Catalog of AWS Customer Security Incidents This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause
Datadog Cloud Security Atlas
  • A risk register for Threats and Vulnerabilities
  • This database gives you the ability to search and filter on your cloud provider platform, risk type, and sort by impact, exploitability, and recency

Operational Guides

Link Notes
Summit Route AWS Exposable Resources Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts
Summit Route AWS Security Tools Comparison Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper
AWS Control Tower By Example Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices
CloudConformity List of manual checks/audit
Top 10 security best practices for securing data in Amazon S3 The latest S3 features and AWS services that you can use to help secure your data in S3
You should have lots of AWS accounts Lots of AWS accounts working together in harmony will net you a more secure, more reliable, and more compliant cloud infrastructure
Approaches for authenticating external applications in a machine-to-machine scenario Which approach is best to securely connect your applications to your AWS environment when no human interaction comes into play?
Reducing Attack Surface with AWS Allowlisting A detailed look at implementing Region & Service allowlisting in AWS
The illustrated guide to S3 pre-signed URLs What pre-signed URLs are, how to use them, and some best practices to keep in mind
A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account
Marco Lancini Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet
Bastion Hosts

Code Samples

Link Notes
  • Terraform for the UK Ministry of Justice AWS root account

Cost Optimization

Link Notes
Cloud Cost Handbook Set of guides meant to help explain often-times complex pricing of public cloud infrastructure and service providers in easy-to-understand terms
My Comprehensive Guide to AWS Cost Control
  • Stage 1: Track Cost
  • Stage 2: Reduce Cost
  • Stage 3: Include Cost In Your Process
AWS Cost Allocation Guide: Tagging Best Practices
  • Hierarchical Account Separation
  • Brand Accounts
  • Third-Party Tools
  • How can you audit compliance?
Cost Monitoring and Governance With Kubecost Dedicated Cluster VS dedicated Node VS dedicated Namespace
Overview of Data Transfer Costs for Common Architectures Potential data transfer charges you may encounter while operating your workload on AWS


Link Notes
AWS EC2 IMDS - What You Need to Know A technical review of IMDSv2
Remediating AWS IMDSv1 How to remediate IMDSv1 in AWS
How to use policies to restrict where EC2 instance credentials can be used from Two new global condition context keys (aws:EC2InstanceSourceVPC, aws:EC2InstanceSourcePrivateIPv4) that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued
Mitigating SSRF in 2023 Different ways of triggering SSRF and which mitigation techniques are most effective
imdsv2_wall_of_shame List of vendors that do not allow IMDSv2 enforcement


Link Notes
Marco Lancini Automated Github Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier
Marco Lancini Automated GDrive Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier

Ransomware Prevention

Link Notes
S3 Ransomware
Summit Route S3 backups and other strategies for ensuring data durability through ransomware attacks Options for ensuring the durability of data stored on S3, through protections in place and backup strategies
Protecting Amazon S3 Data from Ransomware Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
Ransomware mitigation: Top 5 protections and recovery preparation actions
  • Set up the ability to recover your apps and data
  • Encrypt your data
  • Apply critical patches
  • Follow a security standard
  • Make sure you're monitoring and automating responses
Ransomware Risk Management on AWS using the NIST CSF Implementation of security controls to manage the risks associated with ransomware and other destructive events using the NIST cybersecurity framework
Ransomware-resistant backups with duplicity and AWS S3 How to use duplicity with S3 to create ransomware-resistant backups
Cloud-Native Ransomware – How attacks on availability leverage cloud services
  • The paths a malicious actor might take to affect the availability of data by using the tools provided by Cloud Service Providers
  • Architectural patterns to make securing these systems easier and methods for detecting cloud-native ransomware
Protect Your Data From Ransomware With S3 Object Lock S3 Object Lock vs Glacier Vault Lock

Other Writeups

Link Notes
Summit Route Denial of Wallet Attacks on AWS