Skip to content

Best Pratices

High Level Documentation

Link Notes
Security Pillar of the Well-Architected Framework Best practices and guidance
AWS Security Reference Architecture (AWS SRA) Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations
OG-AWS Amazon Web Services — a practical guide
Map the Cloud
  • Find information about public cloud provider regional services availability fast, from AWS, Azure, Google Cloud, CloudFlare and Fastly
  • Get stats of services, regions and edge locations
Catalog of AWS Customer Security Incidents This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause
imdsv2_wall_of_shame List of vendors that do not allow IMDSv2 enforcement

Operational Guides

Link Notes
Summit Route AWS Exposable Resources Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts
Summit Route AWS Security Tools Comparison Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper
AWS Control Tower By Example Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices
CloudConformity List of manual checks/audit
Top 10 security best practices for securing data in Amazon S3 The latest S3 features and AWS services that you can use to help secure your data in S3
Bastion Hosts

Code Samples

Link Notes
aws-root-account
  • Terraform for the UK Ministry of Justice AWS root account

Cost Optimization

Link Notes
Cloud Cost Handbook Set of guides meant to help explain often-times complex pricing of public cloud infrastructure and service providers in easy-to-understand terms
My Comprehensive Guide to AWS Cost Control
  • Stage 1: Track Cost
  • Stage 2: Reduce Cost
  • Stage 3: Include Cost In Your Process
AWS Cost Allocation Guide: Tagging Best Practices
  • Hierarchical Account Separation
  • Brand Accounts
  • Third-Party Tools
  • How can you audit compliance?
Cost Monitoring and Governance With Kubecost Dedicated Cluster VS dedicated Node VS dedicated Namespace
Overview of Data Transfer Costs for Common Architectures Potential data transfer charges you may encounter while operating your workload on AWS

Backups

Link Notes
Marco Lancini Automated Github Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier
Marco Lancini Automated GDrive Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier

Ransomware Prevention

Link Notes
S3 Ransomware
Summit Route S3 backups and other strategies for ensuring data durability through ransomware attacks Options for ensuring the durability of data stored on S3, through protections in place and backup strategies
Protecting Amazon S3 Data from Ransomware Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
Ransomware mitigation: Top 5 protections and recovery preparation actions
  • Set up the ability to recover your apps and data
  • Encrypt your data
  • Apply critical patches
  • Follow a security standard
  • Make sure you're monitoring and automating responses
Ransomware Risk Management on AWS using the NIST CSF Implementation of security controls to manage the risks associated with ransomware and other destructive events using the NIST cybersecurity framework
Ransomware-resistant backups with duplicity and AWS S3 How to use duplicity with S3 to create ransomware-resistant backups

Other Writeups

Link Notes
Summit Route Denial of Wallet Attacks on AWS
Remediating AWS IMDSv1 How to remediate IMDSv1 in AWS
Back to top