2021 Update: Since I wrote this article in 2019, I've found this PDF guide on the same topic. It is much more elaborate and complete than my own notes. I highly recommend going through it :)
- Billing alerts to prevent overspending,
- GuardDuty threat detection with notifications to my phone (slack) and
- setting up users to give out.
Some of these are done manually and others by terraform code, which I published on Github.
Here's my recipe:
Go to IAM and fix all the things it's complaining about:
- make a user for your aws cli/terraform access, make a group for it,
- activate MFA on the root account,
- set a password policy.
At this point you should be seeing this satisfying graphic:
💪Now you can continue with the next steps:
- Setup IaC using my sample code and the readme file,
- If you need background, see the terraform getting-started and terraform remote state guides,
- setup the IAM users that you need for your usecase (configured in terraform.auto.tfvars and handled in iam_students.tf),
- setup billing alerts (handled in billing.tf),
- setup GuardDuty using nights_watch (make sure to configure event_threshold to 2, to avoid false positives),
- for good measure, go to S3 > "Block public access" and check the top box, to block everything. You can later carefully disable this if you are confident you need to.
This should be it! A relatively secure account is now ready for use. You can use the terraform framework/code to deploy other things that you need 😃.
Tip: If you're worried about costs, check the billing section in the console. If using the free tier, there's a nice place that shows the top-used services and their limits:
No comments:
Post a Comment