Skip to main content

7 ways to reduce your AWS costs

Are you spending more than planned on AWS? Or maybe you just want to spend less? What can you do? With the great variety of services and pricing options that AWS offers, you can build unimaginable networks of servers in the cloud, something very difficult and expensive to do with traditional IT infrastructure. But with that power in your hands it is really easy to go far from what you exactly need, ending up with a lot of underused or overused running resources which are difficult to keep track of.   Most AWS users are initially attracted to the service because of its pay-as-you-use pricing model. Like running water or electricity, you only pay for what you. But as your usage increases so does your billing size. On-demand is great so far as your pockets go. But with careful budget planning you can benefit from other models and save a lot of money on the long run. There are several ways to save yourself from paying high bills on AWS. Once you are able to define or re-define your origina…

10 AWS security best practices every team MUST implement

I am writing this article at a time where we see more and more companies are migrating to the cloud or starting green field projects directly on the cloud but bad practices remain prevalent amongst teams. So I have decided to outline 10 of the most basic practices teams MUST follow to ensure their AWS environment are secured.
I am sure that by now most people have read or head about AWS' Shared Responsibility Model. It essentially means that AWS ensures you underlying infrastructure and environment in the actual data centres are physically secured and any disposal of the physical hard drives or old servers are made in compliance with various standards.
Customer’s responsibility on the other hand is focused on securing their data in the cloud. Anything uploaded or connected to the cloud is the full responsibility of the customer. For example, patching and hardening a Guest Operating System or enabling encryption or data integrity authentication.
That doesn’t mean AWS will leave you alone with empty hands. AWS offers many tools and features to improve the security of the account and the access to the resources. However many of these security services are not enabled by default and you must take action and customise them to meet your specific demands. The following list includes 10 of the most relevant security practices for protecting your assets and controlling access to the AWS resources
1. Avoid using the root account for daily tasks: The root account is very powerful because it has access to all resources and services in AWS. Instead of using the root account for daily tasks, create individual IAM users for every single person, service or application that needs to access the resources. Even if you are the owner of the root account, create an IAM User “Administrator” with full privileges and keep the root account password and access keys safe and away.
2. Use MFA device to access resources and accounts: A MFA (Multi-Factor Authenticator) device provides an extra layer of security for sign-in credentials. As a best practice, disable password-only access to AWS guests and use some sort of MFA device to grant access, especially for the root user account. Implementing MFA virtual device on smartphones is free and easy to use. MFA can also be used to protect access keys that only have API access
3. Adjust IAM user permissions and use groups: Allow permissions on each user only to carry out determined tasks and restrict as much unnecessary services as possible. Instead of specifying permissions to each individual user, it is easier to create IAM groups and manage permissions on a group-level.
4. Set up password policies in IAM: Passwords are usually required for accessing an AWS account and support centre. A week password can compromise the whole system. It is important to set up a password policy that defines the type of password that a user needs to set. This ensures that users have very strong and time-limited passwords.
5. Rotate access keys and certificates on a regular basis: The access keys are used to make programmatic requests to an AWS resource. An AWS API call is usually signed by a secret key. Alternatively, X.509 certificates can be used to gain authentication for some AWS services. To avoid impact on an application’s availability, AWS supports activation of multiple access keys and/or certificates at the same time. Rotation (Activation/Deactivation) can help reduce the risk when a key or certificate gets compromised. AWS recommends saving the keys/certificates in a safe place and not embedding them in application code.
6. Use permissions and versioning to protecting data in S3 buckets: Data stored in S3 can be protected from accidental information disclosure or data integrity compromise. To achieve this, limit the scope of access to sensitive data in S3 by enforcing rigid bucket and/or object level permissions. To allow data integrity, S3 supports a feature called Versioning which stores the newest version of every modified object, allowing quick restoration in case of accidental deletion.
7. Encrypt sensitive stored data with AES-256: Data at rest in S3, Glacier, EBS or RDS can be encrypted with Advanced Encryption Standard (AES-256). S3 supports either server-side or client-side encryption with AES-256. Amazon Glacier automatically encrypts the data using the same method. Metadata that is included with the S3 object does not get encrypted, therefore it is recommended not to include sensitive information in the S3 Metadata.
8. Protecting data on transit with SSL/TLS and IPSec: Traffic from cloud applications often travel across public networks. To protect moving data, AWS encourages encrypting data using SSL/TLS (Secure Sockets Layer/Transport Layer Security) or IPSec ESP (Encapsulating Security Payload) for all interactions. For example, HTTPS (over SSL/TLS) with server certificate authentication is highly recommended for web application traffic. API calls can also be encrypted with SSL, in fact AWs recommends using SSL-protected API endpoints. On the other hand, IPSec over the Internet can be established to create VPNs with an on-premise network.
9. Use defined Security Groups to restrict access to instances: Careful management of Security Groups “SG” (specifying ports or IP address range) is recommended to avoid possible threats, such as port scan attacks. The level of security that SGs offer to DB, EC2 instances and VPCs is a function of which ports are open or close. When using a VPC avoid the default SG because it allows all inbound traffic from all the members of the SG and outbound traffic to any destination. 
10. Monitoring and Alerting: Logs can help identify a problem and solve it. With the help of AWS CloudTrail logging services you can keep track of who did what and when. For example which IAM credentials initiated a particular API call and when. CloudWatch is a very useful tool that can be used to send automated alarms or notifications to an email or phone in case a threshold is reached. For example if a billing threshold is crossed, or an EC2 CPU is high. 
The above 10 recommendations are the minimum you MUST implement today and of course AWS provides a detailed whitepaper with security best practices and also a Security Centre which can help and provide you with more information.

Comments

  1. Thank you for your valuable content , Easy to understand and follow. As said, the migration to cloud is very essential for the protection of the database.

    Cloud Migration services
    Aws Cloud Migration services
    Azure Cloud Migration services
    Vmware Cloud Migration services
    Database Migration services

    ReplyDelete
  2. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    Security System Provider

    ReplyDelete

Post a Comment

Popular posts from this blog

7 ways to reduce your AWS costs

Are you spending more than planned on AWS? Or maybe you just want to spend less? What can you do? With the great variety of services and pricing options that AWS offers, you can build unimaginable networks of servers in the cloud, something very difficult and expensive to do with traditional IT infrastructure. But with that power in your hands it is really easy to go far from what you exactly need, ending up with a lot of underused or overused running resources which are difficult to keep track of.   Most AWS users are initially attracted to the service because of its pay-as-you-use pricing model. Like running water or electricity, you only pay for what you. But as your usage increases so does your billing size. On-demand is great so far as your pockets go. But with careful budget planning you can benefit from other models and save a lot of money on the long run. There are several ways to save yourself from paying high bills on AWS. Once you are able to define or re-define your origina…

7 Machine Learning Algorithms every Data Engineer and Data Scientist Must know about!

Machine learning has become such a buzz word these days and that is because organisations are collecting more and more data and using these algorithms can help utilise and monetise the data. In this post I will give an overview of seven most common machine learning algorithms and in each subsequent post I will explain each of the algorithms and show you how to implement them using TensorFlow.

Sophisticated Machine Learning algorithms look set to replicate human intelligence and consciousness. Applications of Machine Learning encompass a variety of challenging and complex problems ranging from spam filtering and fraud detection, to marketing personalisation and online search recommendations, to smart cars and healthcare diagnostics. Understanding the algorithms behind these use cases is the first step toward advancement in Machine Learning.

Machine Learning algorithms come in (at least) three major flavours:

Unsupervised Learning: Instead of predicting results, this algorithm helps identi…

What is the difference between AI, ML and deep learning?

The Difference Between Artificial Intelligence, Machine Learning and Deep Learning Once the domain of Sci-Fi geeks and film script writers, Artificial Intelligence or A.I. is considered well above and beyond fantastical subject these days. Anyone with the slightest interest in tech, no doubt knows that corporations like Microsoft and Google are running not just one, but multiple A.I. projects concurrently to address some of the most challenging problems known to mankind. Each approaching the problem from a slightly different angle. And like any emerging technology, the development of working (albeit limited) A.I. has spawned a whole plethora of new buzzwords such as Machine Learning and Deep Learning. But what do these terms mean? A quick and dirty explanation could look like this: Artificial Intelligence – the top-level container for all things related to creating at the very least, a synthetic “mind” able to solve problems in a heuristic manner. Machine Learning – the human mind uses e…