Whether it's your first day on AWS or your are far along the journey, this webcast discusses 10 'must know' best practices and tips to set your account structure up to maximize scalability, governance, audit and security.
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Webcast: AWS account setup tips for audit, governance, and security
1. AWS Account, Spend, and
Audit Best Practices
Ed Lee
Saradhi Sreegiriraju
Feb 23 2017 @ 10:05 PST
VOIP or Dial-in (see chat)
Questions? Hit the GTW chat or @applatix
2. Who are we?
Ed Lee
Founder & CTO
Saradhi Sreegiriraju
Founder & CPO
February 23, 2017 2AWS Account, Spend, and Audit Best Practices
3. Agenda
• AWS account & user management
• Spend monitoring & analysis
• Audit & governance
February 23, 2017 3AWS Account, Spend, and Audit Best Practices
5. AWS account structure
February 23, 2017 5AWS Account, Spend, and Audit Best Practices
AWS “Main”
account
“Root User” for main account
6. First things first – protect ‘Root User’ account
• Root User Account is the most important account
Cannot be deleted
Access cannot be limited using roles
• Best Practices
Activate MFA for the Root User account
Do not create access keys for the Root User account
Don’t use your Root User account unless specifically needed
oInstead, create separate admin user accounts
February 23, 2017 6AWS Account, Spend, and Audit Best Practices
7. Secure your “Main” AWS account
• Restrict use of the “Main” AWS account
Use it primarily for user management, consolidated billing and
access control
Activate MFA for all user accounts with any significant privilege
February 23, 2017 7AWS Account, Spend, and Audit Best Practices
8. Use ”sub” accounts for actual work
February 23, 2017 8AWS Account, Spend, and Audit Best Practices
AWS “dev”
account
“Root User” for dev account
AWS “qa”
account
“Root User” for qa account
AWS “prod”
account
“Root User” for prod account
AWS “Main”
account
“Root User” for main account
9. AWS Identity & Access Management (IAM)
February 23, 2017 9AWS Account, Spend, and Audit Best Practices
IAM Users Groups Policies
Roles Policies
Policies Roles
“Assume”
10. Mapping IAM Users, Groups, and Policies
February 23, 2017 10AWS Account, Spend, and Audit Best Practices
AWS “dev”
account
“Root User” for dev account
AWS “qa”
account
“Root User” for qa account
AWS “prod”
account
“Root User” for prod account
User Group Policy
Mary Kome admin dev-admin
Bob Adams admin prod-admin
Joe Smith quality qa-user
IAM Users, Groups, and Policies
Define all IAM Users in “Main” account
AWS “Main”
account
“Root User” for main account
11. User Group Policy
Mary Kome admin dev-admin
Bob Adams admin prod-admin
Joe Smith quality qa-admin
Mapping IAM Users, Groups, and Policies
February 23, 2017 11AWS Account, Spend, and Audit Best Practices
AWS “dev”
account
“Root User” for dev account
AWS “qa”
account
“Root User” for qa account
AWS “prod”
account
“Root User” for prod accountRoles
dev-admin-role Roles
prod-admin-role
Define all IAM Users in “Main” account
AWS “Main”
account
“Root User” for main account
IAM Users, Groups, and Policies
12. AWS console access to sub accounts
• Create policies to grant access to sub accounts from main
account
Example policy to allow cross-account role switching from main account
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxx-account1-xxx:role/dev-role"
}
}
February 23, 2017 12AWS Account, Spend, and Audit Best Practices
13. AWS console access to sub accounts
• Users log into main account and then
“switch” to sub accounts where they
do their actual work
• Require MFA to switch roles (a good
way to force users to use MFA)
• Use policies to govern which users can
switch to which accounts
February 23, 2017 13AWS Account, Spend, and Audit Best Practices
14. API access to sub accounts
• Create access keys only for main user accounts
• Control API access to sub AWS accounts using roles and policies
• Use policies to govern which users can make API calls to which AWS
accounts using which roles
• Specify an external_id => role cannot be used from the console
[profile dev-account]
source_profile = main-account
role_arn = arn:aws:iam::<xxx>-dev-account-id-<xxx>:role/dev-api-access
external_id = <yyy>
February 23, 2017 14AWS Account, Spend, and Audit Best Practices
15. Not so good alternatives
• One account for everything
Lack of project-level visibility and accountability
Lack of isolation between projects
oProjects members will be stepping on each other’s toes
oSome important AWS resource limits are per account and cannot be
increased
• Every user has a user account & access key on every account
Impossible to keep track of who has access to what
Greater likelihood a user will “leak” or lose track of their
passwords or access keys
February 23, 2017 15AWS Account, Spend, and Audit Best Practices
16. User Group Policy
Mary Kome admin dev-admin
Bob Adams admin prod-admin
Joe Smith quality qa-admin
In summary
February 23, 2017 16AWS Account, Spend, and Audit Best Practices
AWS “dev”
account
“Root User” for dev account
AWS “qa”
account
“Root User” for qa account
AWS “prod”
account
“Root User” for prod accountRoles
dev-admin-role Roles
prod-admin-role
Define all IAM Users in “Main” account
AWS “Main”
account
“Root User” for main account
IAM Users, Groups, and Policies
18. Monitor your spending
• Regularly monitor spending and investigate changes in
spending
• Use AWS Cost Explorer (or third party applications/services)
It’s free!
Provides useful information related to Reserved Instances
Does not provide hourly granularity
Does not break out enough items
Limited usefulness in categorizing spending
February 23, 2017 18AWS Account, Spend, and Audit Best Practices
19. Example AWS cost explorer report
February 23, 2017 19AWS Account, Spend, and Audit Best Practices
20. Enable AWS cost and usage reports
• Enable consolidated billing report on main account
Choose hourly granularity
Enable resource ids (useful for analyzing RI usage)
February 23, 2017 20AWS Account, Spend, and Audit Best Practices
21. Enable AWS cost and usage reports
February 23, 2017 21AWS Account, Spend, and Audit Best Practices
22. Use the new AWS cost and usage reports
• Two types of billing report formats
Detailed billing reports – old format
AWS cost & usage reports – new format
Mainly differ in how RI usage is reported
• Best practice: AWS recommends using the new format
February 23, 2017 22AWS Account, Spend, and Audit Best Practices
23. Tag your resources
• Choose a scheme for tagging your resources
User, project, application etc.
• Enable the tags you want in your billing reports
• Allows you to group spending by tags
Very useful for analyzing and allocating costs
• Challenge is to systematically tag your resources
Automation may be required
February 23, 2017 24AWS Account, Spend, and Audit Best Practices
24. Limitations of AWS billing reports
• Even at hourly granularity, report is generated twice a day
• 2-3 day delay for the last day of the month
• Daily S3 usage is attributed to a particular hour in the day
• The upfront payments for RIs are not amortized
February 23, 2017 25AWS Account, Spend, and Audit Best Practices
25. Claudia – Free AWS cost management
February 23, 2017 26AWS Account, Spend, and Audit Best Practices
28. Enable logs for Audit and Governance
• Enable Cloud Trail on all accounts (including sub-accounts)
Who did what when
Also very useful when you hit API call limits
February 23, 2017 29AWS Account, Spend, and Audit Best Practices
29. Use roles instead of access keys
• Keys can be leaked, roles cannot
• Keys can be unknowingly shared
• Roles can be revoked more easily
• If you must use keys
Grant the minimum required permissions
Do not share keys
Use a separate key per user/entity
oBetter audit trail
oEasier to revoke
February 23, 2017 30AWS Account, Spend, and Audit Best Practices
30. Create a network map early
• Helps you access your AWS infrastructure using private IP
addresses
• Create a CIDR map and avoid overlapping network addresses
for subnets that you want to route to
Having this in place early will save you time and effort later
• VPC peering is a convenient way to route between accounts
Management can be difficult
VPCs must be in the same region
February 23, 2017 32AWS Account, Spend, and Audit Best Practices
31. Regularly check for security exposures
• Security groups open to the Internet
E.g. Ports open to 0.0.0.0/0
• Log incoming connections
Useful for analyzing potential threats and for forensics in the event of a break in
• Log outgoing connections
Useful for detecting a break in
A compromised instance is often used to attack other systems (DDoS, port scans)
• Use software for regular vulnerability scanning & testing
Often requires pre-approval from AWS
• Carefully design and configure any Internet facing services
February 23, 2017 33AWS Account, Spend, and Audit Best Practices
32. Key Takeaways
• Setting up proper account management is critical
• Enable consolidated billing and reporting for tracking use
• Create network maps from the get go and keep them updated
• Enable audit logging and regularly perform security checks
February 23, 2017 34AWS Account, Spend, and Audit Best Practices
33. Thank you!
• For more resources see http://applatix.com/resources
• Feedback? Questions? info@applatix.com or @applatix
• Our next Webinar
March 16th, 2017
Cloud Management and Spend Analysis
February 23, 2017 35AWS Account, Spend, and Audit Best Practices
Create sub accounts for actual projects or teams
Do not create users or access keys on sub accounts
Instead, use cross-account roles & policies to grant access to sub accounts from main account
Protect “Root User” account of sub accounts as well
Number of resources in an AWS account affects size of the reports
Hourly granularity with resource & tags enabled generates large reports
Alternatively, enable both hourly and daily granularity but enable resource and tags only for daily granularity
Lots of landmines in the public cloud; beware. Applatix can help