AWS Ground Rules

Photo by Darko Kukovec on Unsplash

AWS Ground Rules

AWS/Basic

Taegu Kang's photo
Taegu Kang
·

2 min read

  • Good for Security (Zero Trust) and saves traffic cost

  1. Do not use the root user for the common case.

  2. Use individual IAM users.

  3. Use MFA for Every IAM user including root account.

  4. Use Role not Accesskey.

  5. Separate VPC for ENV such as dev, staging, and production.

  6. Separate private and public subnets on VPC.

  7. Use individual routing tables for private and public subnets on VPC. (NAT Gateway, Internet Gateway)

  8. Internet traffic from AWS private subnet : EC2(Private Subnet) -> NAT Gateway (Public Subnet)

  9. Internet traffic from AWS public subnet : Internet Gateway -> ELB(Public Subnet) -> EC2(Private Subnet)

  10. Using AWS internal traffic routings such as s3-endpoint, internal-alb and internal DNS.

  11. Locate the EC2, RDS, and Cache on the private subnet and Internet-facing ELB and the bastion host only on the Public Subnet.

  12. Open the SG rule only from SG on AWS internal traffic if you can. (ex. ELB SG -> EC2 SG)

  13. Use a non-default port for the application.

  14. Use ELB by rule set-based routing.

  15. Use Savings Plans and Rightsizing recommendations.

  16. Use EBS GP3 volumes, not GP2.

  • Good for High Availability

  1. Using rds writer, reader endpoint not instance endpoint.

  2. Using Multi-AZ for every AWS resource such as Subnet, Nat GW, RDS, EC2, ECS and so on.

Good for Security (Zero Trust) and saves traffic costAWSSecuritybest practiceszero trust securityground-rule