AWS Best Practices: Five Key Approaches to Get You Started

There’s a whole mountain of official documentation on AWS best practices.

Most new users will probably have a great deal of trouble working through all that material (not that you shouldn’t try). So I’m going to try to provide you with a bit of a short cut and present what I think are the top five AWS Best Practices you absolutely must know right now.

1. AWS Best Practices: protect your AWS credentials

Your AWS account represents a business relationship between you and AWS. Since you use your root AWS account to manage your AWS resources and services, it will need full access, which requires root permissions. But with great power comes great risk.

Do not use root account credentials for day-to-day interactions with AWS!

One of the very best of AWS best practices is to avoid creating an access key for your root account. Unless, for some strange reason, you absolutely must have a root access key, it is best not to generate one. Instead, create one or more AWS Identity and Access Management (IAM) users, give them the necessary permissions and use those users for everyday interaction with AWS.

2. AWS Best Practices: secure your Applications

Sometimes it is better to explain a concept with a picture or diagram rather than with words.

The diagram below could be a small scale deployment on AWS. You have a Web Server, an App Server, and a DB server. You should allow access from the outside world only where necessary. So a security group should be created for the web server that only allows traffic through ports 80 (HTTP) and 443 (HTTPS). Another security group could restrict traffic into the App Server to port 22 (SSH), and even then only to sessions originating from a defined range of IP addresses. All other Internet traffic should be denied.

Further security configuration could control access between the servers themselves.
Amazon EC2 Security Group Firewall

3. AWS Best Practices: backup a lot and test your recovery resources before you need them

With all your AWS credentials protected and your applications secured you should be sleeping better at night. Now it’s time to start thinking about a backup and recovery plan. Here are some things that should be part of any robust backup plan.

  • Regularly back up your instance using Amazon EBS snapshots or a backup tool.
  • Deploy critical components of your application across multiple Availability Zones, and replicate your data appropriately.
  • Design your applications to handle dynamic IP addressing when your instance restarts.
  • Monitor and respond to events.
  • Ensure that you are prepared to handle failover. For a basic solution, you can manually attach a network interface or Elastic IP address to a replacement instance.
  • Regularly test the process of recovering your instances and Amazon EBS volumes if they fail.

4. AWS Best Practices: use the Trusted Advisor

I’ve written about Trusted Advisor before.  As it turns out, so has the Amazon documentation team. They characterized their Trusted Advisor as

…Your customized cloud expert! It helps you to observe best practices for the use of AWS by inspecting your AWS environment with an eye toward saving money, improving system performance and reliability, and closing security gaps.

The good news is that there are four Trusted Advisor services available at no charge:

  • Service Limits Check
  • Security Groups – Specific Ports Unrestricted Check
  • IAM Use Check
  • MFA on Root Account Check

This is a must-use tool. All you need to do is click on the Trusted Advisor icon in your AWS console under Administration & Security and the screen will appear and give you an instantaneous snapshot of the current status of the four items listed above. This is the easiest of all the AWS Best Practices listed here, so there is really no excuse for not using it. To dive into the AWS Trusted Advisor service and how you can use it to benefit your AWS account, take a look at Cloud Academy’s Overview of AWS Trusted Advisor course.

5. AWS Best Practices: understand the AWS Shared Responsibility Model

You must know what you are responsible for and what lies under Amazon Web Services’ control. Once again rather than bore you with a long explanation, when a diagram will be more effective, see if this doesn’t make things clear.
AWS Shared Responsibility Model

Conclusion

AWS Best Practices exist because they work best. And their significance increases exponentially as the size of your deployment grows. However, figuring out what to focus on can be very confusing at first. Hopefully, this article will give you some idea of where you should begin.

Here’s a list of just some of the best practice documents currently available if you wish to continue reading on AWS best practices:

Avatar

Written by

Michael Sheehy

I have been UNIX/Linux System Administrator for the past 15 years and am slowly moving those skills into the AWS Cloud arena. I am passionate about AWS and Cloud Technologies and the exciting future that it promises to bring.


Related Posts

Alisha Reyes
Alisha Reyes
— December 10, 2019

New Lab Challenges: Push Your Skills to the Next Level

Build hands-on experience using real accounts on AWS, Azure, Google Cloud Platform, and more Meaningful cloud skills require more than book knowledge. Hands-on experience is required to translate knowledge into real-world results. We see this time and time again in studies about how pe...

Read more
  • AWS
  • Azure
  • Google Cloud
  • hands-on
  • labs
Alisha Reyes
Alisha Reyes
— December 5, 2019

New on Cloud Academy: AWS Solution Architect Lab Challenge, Azure Hands-on Labs, Foundation Certificate in Cyber Security, and Much More

Now that Thanksgiving is over and the craziness of Black Friday has died down, it's now time for the busiest season of the year. Whether you're a last-minute shopper or you already have your shopping done, the holidays bring so much more excitement than any other time of year. Since our...

Read more
  • AWS
  • AWS solution architect
  • AZ-203
  • Azure
  • cyber security
  • FCCS
  • Foundation Certificate in Cyber Security
  • Google Cloud Platform
  • Kubernetes
Avatar
Cloud Academy Team
— December 4, 2019

Understanding Enterprise Cloud Migration

What is enterprise cloud migration? Cloud migration is about moving your data, applications, and even infrastructure from your on-premises computers or infrastructure to a virtual pool of on-demand, shared resources that offer compute, storage, and network services at scale. Why d...

Read more
  • AWS
  • Azure
  • Data Migration
Wendy Dessler
Wendy Dessler
— November 27, 2019

6 Reasons Why You Should Get an AWS Certification This Year

In the past decade, the rise of cloud computing has been undeniable. Businesses of all sizes are moving their infrastructure and applications to the cloud. This is partly because the cloud allows businesses and their employees to access important information from just about anywhere. ...

Read more
  • AWS
  • Certifications
  • certified
Avatar
Andrea Colangelo
— November 26, 2019

AWS Regions and Availability Zones: The Simplest Explanation You Will Ever Find Around

The basics of AWS Regions and Availability Zones We’re going to treat this article as a sort of AWS 101 — it’ll be a quick primer on AWS Regions and Availability Zones that will be useful for understanding the basics of how AWS infrastructure is organized. We’ll define each section,...

Read more
  • AWS
Avatar
Dzenan Dzevlan
— November 20, 2019

Application Load Balancer vs. Classic Load Balancer

What is an Elastic Load Balancer? This post covers basics of what an Elastic Load Balancer is, and two of its examples: Application Load Balancers and Classic Load Balancers. For additional information — including a comparison that explains Network Load Balancers — check out our post o...

Read more
  • ALB
  • Application Load Balancer
  • AWS
  • Elastic Load Balancer
  • ELB
Albert Qian
Albert Qian
— November 13, 2019

Advantages and Disadvantages of Microservices Architecture

What are microservices? Let's start our discussion by setting a foundation of what microservices are. Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs). ...

Read more
  • AWS
  • Docker
  • Kubernetes
  • Microservices
Nisar Ahmad
Nisar Ahmad
— November 12, 2019

Kubernetes Services: AWS vs. Azure vs. Google Cloud

Kubernetes is a popular open-source container orchestration platform that allows us to deploy and manage multi-container applications at scale. Businesses are rapidly adopting this revolutionary technology to modernize their applications. Cloud service providers — such as Amazon Web Ser...

Read more
  • AWS
  • Azure
  • Google Cloud
  • Kubernetes
Avatar
Stuart Scott
— October 31, 2019

AWS Internet of Things (IoT): The 3 Services You Need to Know

The Internet of Things (IoT) embeds technology into any physical thing to enable never-before-seen levels of connectivity. IoT is revolutionizing industries and creating many new market opportunities. Cloud services play an important role in enabling deployment of IoT solutions that min...

Read more
  • AWS
  • AWS IoT Events
  • AWS IoT SiteWise
  • AWS IoT Things Graph
  • IoT
Avatar
Cloud Academy Team
— October 23, 2019

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Valery Calderón Briz
Valery Calderón Briz
— October 22, 2019

How to Go Serverless Like a Pro

So, no servers? Yeah, I checked and there are definitely no servers. Well...the cloud service providers do need servers to host and run the code, but we don’t have to worry about it. Which operating system to use, how and when to run the instances, the scalability, and all the arch...

Read more
  • AWS
  • Lambda
  • Serverless
Avatar
Stuart Scott
— October 16, 2019

AWS Security: Bastion Hosts, NAT instances and VPC Peering

Effective security requires close control over your data and resources. Bastion hosts, NAT instances, and VPC peering can help you secure your AWS infrastructure. Welcome to part four of my AWS Security overview. In part three, we looked at network security at the subnet level. This ti...

Read more
  • AWS