The document outlines a 10-step pre-launch checklist for going live on AWS, including securing accounts and resources, setting up billing and support, enabling multi-factor authentication and CloudTrail logging, configuring IAM roles and network access, applying tags for cost allocation, and automating infrastructure through APIs and services. Security best practices like least privilege policies and role-based access are emphasized throughout the checklist.
2. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
3. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
4. 01. Security
• Gather internal feedback
– Compliance and regulatory requirements
– Data classification implications
• Involve security owners from the start
– Environment validation and testing
5. 01. Security
Customer Data
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption &
Data Integrity Authentication
Server-side Encryption
(File System and/or Data)
Foundation Services
Network Traffic Protection
(Encryption/Integrity/Identity)
Compute Storage Database Network
Availability
AWS Global
Zones
Infrastructure Regions
Edge Locations
Shared Security Model
Amazon Customer
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
7. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
8. 02. Accounts
• Master Account – Email Alias
– what happens when joe.user@yourcompany.com leaves?
– make it something meaningful like
‘aws-dev-projectx@yourcompany.com’
– make sure relevant owners are in that alias
• i.e. department director, finance owner
– secure it with MFA
– this account is ‘root’
• don’t use it & don’t generate API credentials
9. 02. Accounts
Consolidated Billing
• Receive a single bill for all
charges incurred across all
linked accounts
• Share RI discounts
• Combine tiering benefits
• Facilitates a company wide
strategy for accounts
• No resources under the
payer account
Account Payer Bill
1
Accounts Regular Bill
1-4
Account 3
Regular Bill
Account 2
Regular Bill
Account 4
Regular Bill
Share RI Discounts Combine Tiering
10. 02. Accounts
• Invoicing
– Major convenience – no more credit cards
– make sure you setup AWS as a vendor BEFORE switching to
invoicing (hint hint - check with accounting first)
• Get in touch
– Your account manager and solution architect are here to help
– not a must if you’re self-sufficient, but if you’re planning on doing
something and want a second pair of eyes or understand best
practices, please get in touch
11. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
13. 03. Support
• Opt-In Model
– But that doesn’t mean you should go without it
• When should you add support?
– Development - not getting the expected results or simply want to
get help with a problem
– Production - extremely / highly recommended if you have a
service where people might complain if it’s down (most of us do)
18. 04. Cost
• Reserved Instances
– Significant discount on the hourly rate
– Low, one-time upfront fee
– Available in one or three year reservations
– Implement as soon as usage can be trended
– Choose optimal reservation type based on
expected usage:
• Light: between 11% - 19%
• Medium: between 19% - 35%
• Heavy: running > 35% of the time
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
19. 04. Cost
• Spot Market
– Bid on unused EC2 Capacity
– Great option for resumable workloads
– Checkpoint often (to S3 or external db)
– Test and then test again
– Instances can be taken back anytime
(when bid is exceeded)
– Savings over on-demand can be very
compelling
20. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
21. 05. Multi-Factor Authentication
• Supplements user name and
password to require a one-time
code for authentication
• Two types: physical and virtual
• Enable for master account
• Also enable for all privileged
users … no reason not to
22. 05. Multi-Factor Authentication
• Can be used for more
than just logging in:
– Protecting objects or
buckets in S3 from
accidental deletion
– Changing rules in a
Security Group
– Adding users in IAM
– Terminating a
CloudFormation stack
– Almost anything…
{
"Statement":[{
"Effect":"Deny",
"Action":["ec2:TerminateInstances"],
"Resource":["*"],
"Condition":{
"Null":{"aws:MultiFactorAuthAge":"true"}
}}]}
23. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
24. 06. CloudTrail
• Records API calls in your account and
delivers a log file to your S3 bucket.
• Typically, delivers an event within 15
minutes of the API call.
• Log files are delivered approximately
every 5 minutes.
• Multiple partners offer integrated
solutions to analyze log files.
Image Source: Jeff Barr
25. 06. CloudTrail
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that
were acted up on in the API call?
• Where was the API call made
from?
Image Source: Jeff Barr
{
"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJDPLRKLG7UEXAMPLE",
"arn": "arn:aws:iam::123456789012:Alice",
"accountId": "123456789012"
},
"eventTime": "2014-07-08T17:36:04Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.1",
"userAgent": "AWS Console Access",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"LoginTo":
"https://console.aws.amazon.com/sns",
"MFAUsed": "Yes"
},
"eventID": "example-even-tide-xamp-123456789012"
}
27. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
28. 07. IAM
• Grant Least Privilege Policies
– Use policy templates
– Avoid assigning *:* policy
– Easier to relax than to tighten up
– Less chance of people making mistakes
– Use conditions where feasible
– Test your policies in the Policy Simulator
29. 07. IAM
• Use Roles for EC2 instances
– No more hard-coded credentials
– Automatic credential rotation
– Simply launch instance with role
– Rule of least privilege still applies
– Fully integrated with AWS SDKs
30. 07. IAM
• SSO Federation
– Support SAML 2.0
– AWS Management Console login
– Pre-packaged samples:
• Windows Active Directory
• Shibboleth
– Enterprise controlled onboarding
and offboarding of AWS users
– Makes use of IAM roles
– Can be leveraged across several
AWS accounts
31. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
32. 08. Network
• Planning is everything
– VPCs will represent data centers in
your environment
– Choose an RFC1918 scheme that
fits in your enterprise and can scale
across many VPCs
– Connectivity options:
• VPN
• AWS Direct Connect
• None (Bastion Host)
Internet
33. 08. Network
Traffic Filtering – what does what?
Network ACLs Security Groups
• Applied to Subnets (1 per)
• Stateless inspection
• Create allow & deny rules
• Are processed in order
• Applied at the instance ENI
level (5 per)
• Stateful Inspection
• Create ‘allow’ rules
• Are evaluated as a whole
• Can reference other Security
Groups in the same VPC
34. 08. Network
• VPC Peering
– Connect two VPCs in the
same Region
– Non-overlapping IP space
– Bridged by routing table
entries (both sides of peering
relationship)
– Offer & Accept model
– Can be used for ‘shared
services VPC’
10.1.0.0/16
10.0.0.0/16
Peer
Request
Peer
Accept
35. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
36. 09. Tagging
• Tag Everything
– User-defined metadata
– 10 tags per resource
– Create tags relevant to you:
• Department
• Owner
• Cost Center
• Expiration Date
• Data Sensitivity
37. 09. Tagging
Carried through to billing reports…
Cost Allocation
Report
– Monthly granularity
– Product, tag key aggregation
Detailed Billing
Report w/ Resources
and Tags
– Hourly granularity
– Grouped by resource
– Has tags
– Lots and lots of data!
What is my cost
by department? How do I do
charge-backs?
38. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
39. 10. Automate
API Driven Infrastructure
Command Line Interface (CLI)
Windows Powershell and Python
on Linux
Software Development Kits
(SDK)
REST API
AWS Console (GUI)
API
40. 10. Automate
Rich set of APIs for your programming platform or language
Android iOS Java nodeJS .NET PHP Python Ruby
and specialized cloud tools integrated in your development environment
Eclipse Visual Studio CLI Powershell
41. 10. Automate
Higher-level services Do it yourself
Elastic Beanstalk OpsWorks CloudFormation EC2
Convenience Control
42. Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
Editor's Notes
Why have checklists?
- avoid surprises (both pleasant and unpleasant)
- the pain of having to undo things not done right in the beginning
- much easier in the cloud, but still better to do it right from the start
- facilitate changes in organizations - projects moving between groups or divisions
- makes it much easier to think about divesting (or acquiring a business unit
Sidenote to check S3 policies also
Understand egress charge differences between each
VPN – quick and easy
AWS DirectConnect – scalable and predictable performance
None (Bastion Host) - isolation
Use cases – shared services – DNS, auth, logging
Faciliates chargeback
Automation via scripts
AWS Application Management Services
Objective – no human intervention
Your time is a measure of scalability
zero touch maintenance
Systematic deployments
AWS Elastic Beanstalk:
An easy-to-use solution for building web apps and web services with popular application containers such as Java, PHP, Python, Ruby and .NET
AWS OpsWorks:
is a powerful end-to-end solution that gives you an easy way to manage applications of nearly any scale and complexity without sacrificing control.
AWS CloudFormation:
A building block service that enables customers to provision and manage almost any AWS resource via a domain specific language
Next to these solutions you can of course manage your compute resources directly, for example using CloudWatch, AutoScaling and Elastic Load Balancing. So it all comes down to the grade of convenience and control you need