7 AWS Deadly Sins

7 AWS Deadly Sins The seven most common pitfalls - security, governance, architecture - I experienced after designing, reviewing and developing several AWS solutions Bruno Amaro Almeida AWS Community Summit Online UK Photo by Glen Carrie on Unsplash March 2021

Hello! About me Head of Technology & Architecture at Fortum Advisor / Architect Consulting 💡 Areas of interest > Cloud, DevOps, Security, Data Engineering & AI 📚 Avid learner > 12xAWS, 2xAzure, 1xGCP ✍ Author > AWS Security Specialty course Bruno Amaro Almeida Head of Technology & Architecture brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida

1# new AWS accounts need love 💚 Three critical steps: 1. Enable MFA for Root account 2. Use AWS IAM 3. Enable AWS Cloud Trail 3 @bruno_amaro

#2 Make Cost management a priority • Enable AWS Budgets & Billing Alarms • Use AWS Cost Explorer (or similar) • Cloud costs as part of the technology governance • Give cost visibility to the development team https://iamondemand.com/blog/how-to-get-the-most-out-of-the-aws-cost-management-tools/ 4 @bruno_amaro

#3 Lack of Multi-Account Governance • Ownership • Limit incident blast radius • Healthy service limits • Set Guardrails and a Landing Zone • Define Service Control Policies • Consolidated billing 5 @bruno_amaro

#4 Missing Infrastructure as Code practices • Re-deployable infrastructure • Scalable • Documented • Maintainable https://speaking.brunoamaro.com/yUeFUQ/deployment-automation-for-an-awsserverless-project-sam-vs-cloudformation-vs-terraform 6 @bruno_amaro

#5 Not using IAM properly • Users == Humans or non-AWS resources • Least privilege policies • Avoid using Inline and AWS managed policies • Use AWS SSO > IAM Roles if possible • Leverage AWS IAM Access Analyzer 7 @bruno_amaro

#6 Encryption & Secrets • Huge security impact • Minimal cost impact (time and operational) • Compliance 8 @bruno_amaro Photo by Jordan Hopkins on Unsplash

#7 Missing out on interesting data Out-of-the-box data: • AWS Cloudtrail • AWS VPC Flow Logs • AWS ELB Access Logs Use cases: • Troubleshooting • Auditing & Compliance https://aws.amazon.com/guardduty/ • Analytics • SIEM 9 @bruno_amaro

Well-Architected Framework • Five core pillars • Additional Lens: Serverless, Machine Learning, Analytics, IoT, … https://aws.amazon.com/architecture/well-architected/ 10 @bruno_amaro

Thanks! Questions? Feedback? Bruno Amaro Almeida Head of Technology & Architecture brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida