Whether it's your first day on AWS or your are far along the journey, this webcast discusses 10 'must know' best practices and tips to set your account structure up to maximize scalability, governance, audit and security.

1. AWS Account, Spend, and
Audit Best Practices
Ed Lee
Saradhi Sreegiriraju
Feb 23 2017 @ 10:05 PST
VOIP or Dial-in (see chat)
Questions? Hit the GTW chat or @applatix

2. Who are we?
Ed Lee
Founder & CTO
Saradhi Sreegiriraju
Founder & CPO
February 23, 2017 2AWS Account, Spend, and Audit Best Practices

3. Agenda
• AWS account & user management
• Spend monitoring & analysis
• Audit & governance
February 23, 2017 3AWS Account, Spend, and Audit Best Practices

4. AWS Account Management

5. AWS account structure
February 23, 2017 5AWS Account, Spend, and Audit Best Practices
AWS “Main”
account
“Root User” for main account

6. First things first – protect ‘Root User’ account
• Root User Account is the most important account
Cannot be deleted
Access cannot be limited using roles
• Best Practices
Activate MFA for the Root User account
Do not create access keys for the Root User account
Don’t use your Root User account unless specifically needed
oInstead, create separate admin user accounts
February 23, 2017 6AWS Account, Spend, and Audit Best Practices

7. Secure your “Main” AWS account
• Restrict use of the “Main” AWS account
 Use it primarily for user management, consolidated billing and
access control
 Activate MFA for all user accounts with any significant privilege
February 23, 2017 7AWS Account, Spend, and Audit Best Practices

8. Use ”sub” accounts for actual work
February 23, 2017 8AWS Account, Spend, and Audit Best Practices
AWS “dev”
account
“Root User” for dev account
AWS “qa”
account
“Root User” for qa account
AWS “prod”
account
“Root User” for prod account
AWS “Main”
account
“Root User” for main account

9. AWS Identity & Access Management (IAM)
February 23, 2017 9AWS Account, Spend, and Audit Best Practices
IAM Users Groups Policies
Roles Policies
Policies Roles
“Assume”

10. Mapping IAM Users, Groups, and Policies
February 23, 2017 10AWS Account, Spend, and Audit Best Practices
AWS “dev”
account
“Root User” for dev account
AWS “qa”
account
“Root User” for qa account
AWS “prod”
account
“Root User” for prod account
User Group Policy
Mary Kome admin dev-admin
Bob Adams admin prod-admin
Joe Smith quality qa-user
IAM Users, Groups, and Policies
Define all IAM Users in “Main” account
AWS “Main”
account
“Root User” for main account

11. User Group Policy
Mary Kome admin dev-admin
Bob Adams admin prod-admin
Joe Smith quality qa-admin
Mapping IAM Users, Groups, and Policies
February 23, 2017 11AWS Account, Spend, and Audit Best Practices
AWS “dev”
account
“Root User” for dev account
AWS “qa”
account
“Root User” for qa account
AWS “prod”
account
“Root User” for prod accountRoles
dev-admin-role Roles
prod-admin-role
Define all IAM Users in “Main” account
AWS “Main”
account
“Root User” for main account
IAM Users, Groups, and Policies

12. AWS console access to sub accounts
• Create policies to grant access to sub accounts from main
account
Example policy to allow cross-account role switching from main account
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxx-account1-xxx:role/dev-role"
}
}
February 23, 2017 12AWS Account, Spend, and Audit Best Practices

13. AWS console access to sub accounts
• Users log into main account and then
“switch” to sub accounts where they
do their actual work
• Require MFA to switch roles (a good
way to force users to use MFA)
• Use policies to govern which users can
switch to which accounts
February 23, 2017 13AWS Account, Spend, and Audit Best Practices

14. API access to sub accounts
• Create access keys only for main user accounts
• Control API access to sub AWS accounts using roles and policies
• Use policies to govern which users can make API calls to which AWS
accounts using which roles
• Specify an external_id => role cannot be used from the console
[profile dev-account]
source_profile = main-account
role_arn = arn:aws:iam::<xxx>-dev-account-id-<xxx>:role/dev-api-access
external_id = <yyy>
February 23, 2017 14AWS Account, Spend, and Audit Best Practices

15. Not so good alternatives
• One account for everything
 Lack of project-level visibility and accountability
 Lack of isolation between projects
oProjects members will be stepping on each other’s toes
oSome important AWS resource limits are per account and cannot be
increased
• Every user has a user account & access key on every account
 Impossible to keep track of who has access to what
 Greater likelihood a user will “leak” or lose track of their
passwords or access keys
February 23, 2017 15AWS Account, Spend, and Audit Best Practices

16. User Group Policy
Mary Kome admin dev-admin
Bob Adams admin prod-admin
Joe Smith quality qa-admin
In summary
February 23, 2017 16AWS Account, Spend, and Audit Best Practices
AWS “dev”
account
“Root User” for dev account
AWS “qa”
account
“Root User” for qa account
AWS “prod”
account
“Root User” for prod accountRoles
dev-admin-role Roles
prod-admin-role
Define all IAM Users in “Main” account
AWS “Main”
account
“Root User” for main account
IAM Users, Groups, and Policies

17. Spend Monitoring & Analysis

18. Monitor your spending
• Regularly monitor spending and investigate changes in
spending
• Use AWS Cost Explorer (or third party applications/services)
 It’s free!
 Provides useful information related to Reserved Instances
 Does not provide hourly granularity
 Does not break out enough items
 Limited usefulness in categorizing spending
February 23, 2017 18AWS Account, Spend, and Audit Best Practices

19. Example AWS cost explorer report
February 23, 2017 19AWS Account, Spend, and Audit Best Practices

20. Enable AWS cost and usage reports
• Enable consolidated billing report on main account
 Choose hourly granularity
 Enable resource ids (useful for analyzing RI usage)
February 23, 2017 20AWS Account, Spend, and Audit Best Practices

21. Enable AWS cost and usage reports
February 23, 2017 21AWS Account, Spend, and Audit Best Practices

22. Use the new AWS cost and usage reports
• Two types of billing report formats
Detailed billing reports – old format
AWS cost & usage reports – new format
Mainly differ in how RI usage is reported
• Best practice: AWS recommends using the new format
February 23, 2017 22AWS Account, Spend, and Audit Best Practices

23. Tag your resources
• Choose a scheme for tagging your resources
User, project, application etc.
• Enable the tags you want in your billing reports
• Allows you to group spending by tags
Very useful for analyzing and allocating costs
• Challenge is to systematically tag your resources
Automation may be required
February 23, 2017 24AWS Account, Spend, and Audit Best Practices

24. Limitations of AWS billing reports
• Even at hourly granularity, report is generated twice a day
• 2-3 day delay for the last day of the month
• Daily S3 usage is attributed to a particular hour in the day
• The upfront payments for RIs are not amortized
February 23, 2017 25AWS Account, Spend, and Audit Best Practices

25. Claudia – Free AWS cost management
February 23, 2017 26AWS Account, Spend, and Audit Best Practices

26. Application granular resource usage metrics
February 23, 2017 27AWS Account, Spend, and Audit Best Practices

27. Audit & Governance

28. Enable logs for Audit and Governance
• Enable Cloud Trail on all accounts (including sub-accounts)
 Who did what when
 Also very useful when you hit API call limits
February 23, 2017 29AWS Account, Spend, and Audit Best Practices

29. Use roles instead of access keys
• Keys can be leaked, roles cannot
• Keys can be unknowingly shared
• Roles can be revoked more easily
• If you must use keys
 Grant the minimum required permissions
 Do not share keys
 Use a separate key per user/entity
oBetter audit trail
oEasier to revoke
February 23, 2017 30AWS Account, Spend, and Audit Best Practices

30. Create a network map early
• Helps you access your AWS infrastructure using private IP
addresses
• Create a CIDR map and avoid overlapping network addresses
for subnets that you want to route to
 Having this in place early will save you time and effort later
• VPC peering is a convenient way to route between accounts
 Management can be difficult
 VPCs must be in the same region
February 23, 2017 32AWS Account, Spend, and Audit Best Practices

31. Regularly check for security exposures
• Security groups open to the Internet
 E.g. Ports open to 0.0.0.0/0
• Log incoming connections
 Useful for analyzing potential threats and for forensics in the event of a break in
• Log outgoing connections
 Useful for detecting a break in
 A compromised instance is often used to attack other systems (DDoS, port scans)
• Use software for regular vulnerability scanning & testing
 Often requires pre-approval from AWS
• Carefully design and configure any Internet facing services
February 23, 2017 33AWS Account, Spend, and Audit Best Practices

32. Key Takeaways
• Setting up proper account management is critical
• Enable consolidated billing and reporting for tracking use
• Create network maps from the get go and keep them updated
• Enable audit logging and regularly perform security checks
February 23, 2017 34AWS Account, Spend, and Audit Best Practices

33. Thank you!
• For more resources see http://applatix.com/resources
• Feedback? Questions? info@applatix.com or @applatix
• Our next Webinar
 March 16th, 2017
 Cloud Management and Spend Analysis
February 23, 2017 35AWS Account, Spend, and Audit Best Practices

34. Thank you