Author: Carlos Souza
For those looking to get started with cloud technologies, learning AWS basics is crucial. The following are AWS tips and tricks to accelerate your start and help you avoid common pitfalls. You’ll get a deeper understanding of AWS fundamentals for security in the cloud as well as possibilities to control costs of your AWS account.
1. Enable MFA for root user
Every AWS account has one user with total control over all the other users and all services running across them. It is called the root user. According to the official docs, We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones (…)
Securely lock away the root user credentials and use them to perform only a few account and service management tasks.
The root user has access to every part of our AWS account. From launching virtual machines to deleting databases. In other words, the root user is a valuable target for all kinds of bad people. The first thing we should do after creating a new AWS account is enable MultiFactor-Authentication (MFA) for the root user. Then, we can use a virtual device (mobile application on our phones) or a hardware token for increased security. After enabling MFA, every time someone needs to log in as the root user, they will need to have access to a code that’s produced by another device (or “factor”). Google Authenticator, Authy and Duo are the most popular apps for this.
Enabling MFA helps protect our account and mitigate the risk of attacks.
2. Create a billing alarm
Every cloud engineer’s biggest fear is receiving an unwanted bill for services we didn’t know were being charged for. Perhaps an EC2 instance of the wrong type is running, or we accidentally created a highly priced database service. For example, if we launch a virtual machine, we have to pay for it per hour—or we’re billed for every GB of data stored in the object store. Unwanted costs may occur if we forget to terminate unused virtual machines or delete data that we no longer need from S3.
There is no way to prevent AWS from actually charging us so the best we can—and should—do is set alarms for price points. This way, we can track if usage is going up and crosses a specific threshold. A billing alert will be sent to us via email or sms when the costs for the current month exceed our limit so we can act on it accordingly.
3. Get familiar with Identity and Access Management
The Identity and Access Management (IAM) service authenticates and authorizes all interactions with AWS. IAM is a fundamental part of security in the cloud. It allows us to control access to all AWS services with a precise level of granularity. Some examples:
- Is Bob allowed to launch a new virtual server?
- Is the application permitted to store data on the object store?
- Is Mary authorized to access customer information stored in the NoSQL database?
It’s important to understand the concepts of IAM and follow best practices. We are doing ourselves a big favor by setting aside time to learn and become very familiar with the Identity and Access Management service right from the start.
4. Make use of the Free Tier
Getting started with AWS doesn’t require any payment. They offer a Free Tier for many of the services for the first 12 months of a newly created account. Launch a virtual machine for 750 hours per month during the first year on AWS and pay nothing. Store up to 5 GB on the object store for free during the first year on AWS. Use the NoSQL database to store up to 25 GB or invoke a Lambda function up to one million times—all for free.
Using the Free Tier to discover these services is highly recommended as a way to get started.
5. Choose the right region(s)
AWS operates data centers all over the world and groups them into regions. Before using an AWS service, we should think about selecting the best region for the particular use case. Things to consider when choosing a region:
- Latency: Which region is closest to your customers?
- Availability of services: Are all the services you want to use available in the region?
- Compliance: Are you allowed to store and process data in the jurisdiction of the region?
- Costs: What are the costs for running your workload in the region?
6. Enable CloudTrail
Use CloudTrail to track every call to the AWS API. Whenever a team member changes the cloud infrastructure (for example, adjusting a firewall configuration) a log event is stored. Doing so allows us to debug failures or investigate security incidents. Once enabled, CloudTrail creates logs files which can be accessed in the future if needed. For increased security, it is also recommended to route a copy of CloudTrail logs to a different AWS account under more restrictive access. This prevents attackers from erasing access history.
7. Learn about essential services
Cloud services can be split into the following categories:
Under these categories, AWS offers more than 200 different services. Start your journey by learning about the most popular:
- Amazon Virtual Private Cloud (VPC)
- Amazon Elastic Compute Cloud (EC2)
- Amazon Simple Storage Service (S3)
- Amazon Relational Database Service (RDS)
- AWS Identity and Access Management (IAM)
8. Install and configure the AWS Command Line Interface (CLI)
The simplest and most basic way to interact with AWS services is through the AWS Command Line Interface, also known as the AWS CLI. When we use our web browsers and click through a web interface to work with AWS, we are using the AWS Management Console. When we want to script some tasks, the AWS Command Line Interface (CLI) becomes a valuable alternative. We can call it manually or include CLI commands inside other custom scripts, like for example bash scripts.
Get started by installing and configuring the AWS CLI.
9. Aim for automation
One of the biggest advantages of using AWS is that the API allows us to automate every part of our cloud infrastructure; from launching and provisioning virtual machines to creating the whole networking infrastructure. Unarguably, adopting automation increases the quality of our infrastructure and greatly reduces administration efforts. We should aim for automation to get the most out of AWS (try AWS CloudFormation or Cloud Development Kit).
10. Consult the Trusted Advisor
It is recommended to have a cloud architect with AWS experience reviewing our accounts regularly. If that is not an option, then we can take advantage of the AWS Trusted Advisor. This is an automated specialist for our AWS account. It is a good practice to optimize an AWS account from the following categories within the AWS Trusted Advisor:
- Cost Optimization
- Fault Tolerance
Be sure to check out the findings of the Trusted Advisor regularly.
Starting a cloud journey can sometimes feel overwhelming. The multitude of services available and the uncertainty of where to start might seem daunting at first. With these tips and tricks in hand, however, you can help facilitate the process and have more confidence to start working with AWS. Want to learn more? Pluralsight has many options for AWS for beginners, mid-level and advanced cloud engineers!