Collection of best practices and architectural definitions to provide a well designed cloud infrastructure based on the 5 pillars: operational excellence, security, reliability, performance efficiency and cost optimization.
- stop guessing your capacity needs
- test systems at prod scale
- automate to make architectural experimentatino easier
- allow for evolutionary architectures
- data-driven architecures
- improve through game days
- Apply security at all layers (acls, sgs, ec2)
- Enable traceability (cloudtrail)
- Automate response to security events (SNS, brute-forces)
- focus on securing your system
- automate security best practices (hardened amis)
Data should be segmented and classified so certain data can be only accesible by certain group of persons and no others. AWS Key services: elb, ebs, s3, rds (encryption)
Only specific, authorized and authenticated users should access to the right resources. This can be defined by ACLs, Rol Based access, Secure passwords. The root account has to be protected. IAM roles and groups has to be well defined and verified. AWS Key services: iam, mfa
Better to check enforncement level, host or network. Protection and integrity checks on the EC2 machines. AWS Key services: vpc, nat instances, sgs, nacls, public/private subnets.
Measures to detect security breachs. Proper logging agregation in place. AWS Key services: cloudtrail, cloudwatch
- test recovery procedures
- automatically recover from failures
- scale horizontally to icnresae aggregate system availability
- stop guessing capacity, don’t over provision.
This is fully managed by AWS as part of the infrastructure physical provisioning of resources. AWS defines some limitations so users don’t over provision resources, those limits are not fixed, they can be increased by creating tickets. AWS Key services: iam, vpc
A tracking system or versioning needs to be in place as well as monitoring. AWS Key services: cloudtrail
Always assume that a failure will occure, so how to recover? AWS Key services: cloudformation