7 AWS Deadly Sins

A presentation at AWS Berlin UG April 2022 in April 2022 in by Bruno Amaro Almeida

Slide 1

Slide 1

7 AWS Deadly Sins The seven most common pitfalls - security, governance, architecture - I experienced after designing, reviewing and developing several AWS solutions Bruno Amaro Almeida AWS UG Berlin Photo by Glen Carrie on Unsplash April 2022

Slide 2

Slide 2

Hello! About me Head of Technology & Architecture at Fortum Independent Consultant in Cloud, Security and Data Bruno Amaro Almeida Head of Technology & Architecture brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida

Slide 3

Slide 3

1# new AWS accounts need love 💚 Three critical steps: 1. Enable MFA for Root account 2. Use AWS IAM 3. Enable AWS Cloud Trail 3 @bruno_amaro

Slide 4

Slide 4

#2 Make Cost management a priority • Enable AWS Budgets & Billing Alarms • Use AWS Cost Explorer (or similar) • Cloud costs as part of the technology governance • Give cost visibility to the development team https://iamondemand.com/blog/how-to-get-the-most-out-of-the-aws-cost-management-tools/ 4 @bruno_amaro

Slide 5

Slide 5

#3 Lack of Multi-Account Governance • Ownership • Limit incident blast radius • Healthy service limits • Set Guardrails and a Landing Zone • Define Service Control Policies • Consolidated billing 5 @bruno_amaro

Slide 6

Slide 6

#4 Missing Infrastructure as Code practices • Re-deployable infrastructure • Scalable • Documented • Maintainable https://speaking.brunoamaro.com/yUeFUQ/deployment-automation-for-an-awsserverless-project-sam-vs-cloudformation-vs-terraform 6 @bruno_amaro

Slide 7

Slide 7

#5 Not using IAM properly • Users == Humans or non-AWS resources • Least privilege policies • Avoid using Inline and AWS managed policies • Use AWS SSO > IAM Roles if possible • Leverage AWS IAM Access Analyzer 7 @bruno_amaro

Slide 8

Slide 8

#6 Encryption & Secrets • Big impact on increasing security • Minimal cost impact (time and operational) • Compliance 8 @bruno_amaro Photo by Jordan Hopkins on Unsplash

Slide 9

Slide 9

#7 Missing out on interesting data Out-of-the-box data: • AWS Cloudtrail • AWS VPC Flow Logs • AWS ELB Access Logs Use cases: • Troubleshooting • Auditing & Compliance https://aws.amazon.com/guardduty/ • Analytics • SIEM 9 @bruno_amaro

Slide 10

Slide 10

Well-Architected Framework https://aws.amazon.com/architecture/well-architected/ 10 @bruno_amaro

Slide 11

Slide 11

Thanks! Questions? Feedback? Bruno Amaro Almeida Head of Technology & Architecture brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida