Skip to content

Best Pratices

High Level Documentation

Link Notes
Security Pillar of the Well-Architected Framework Best practices and guidance
AWS Ramp-Up Guide: Security Learning plan to teach cloud security, governance, and compliance developments
AWS Security Reference Architecture (AWS SRA) Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations
OG-AWS Amazon Web Services — a practical guide

Operational Guides

Link Notes
Summit Route AWS Exposable Resources Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts
Summit Route AWS Security Tools Comparison Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper
AWS Control Tower By Example Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices
CloudConformity List of manual checks/audit
Kubernetes multi tenancy with Amazon EKS: Best practices and considerations Some considerations for Kubernetes multi tenancy implementation using Amazon EKS, covering different perspectives around compute, networking, and storage.
Bastion Hosts

IAM

Link Notes
Summit Route How to audit AWS IAM and resource policies
    Some general rules:
    • Beware that anything with Allow and Principal "*" is public
    • Never use Allow with NotPrincipal
    • Never use Allow with NotAction
Top ten AWS identity health checks to improve security in the cloud Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes

Cost Optimization

Link Notes
My Comprehensive Guide to AWS Cost Control
  • Stage 1: Track Cost
  • Stage 2: Reduce Cost
  • Stage 3: Include Cost In Your Process
AWS Cost Allocation Guide: Tagging Best Practices
  • Hierarchical Account Separation
  • Brand Accounts
  • Third-Party Tools
  • How can you audit compliance?
Cost Monitoring and Governance With Kubecost Dedicated Cluster VS dedicated Node VS dedicated Namespace

Backups

Link Notes
Automated Github Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier
Automated GDrive Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier

Other Writeups

Link Notes
Summit Route Denial of Wallet Attacks on AWS Attacks where the goal is to increase the financial burden on the victim
Summit Route Managing AWS root passwords and MFA How not use the root user account, and how to manage the credentials (password and MFA) for the root user effectively
Protecting Amazon S3 Data from Ransomware Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
Hardening AWS EKS security with RBAC, secure IMDS, and audit logging How small misconfigurations or unwanted side-effects may put clusters at risk
Back to top