AWS Ground Rules

- Good for Security (Zero Trust) and save traffic cost

Do not use root user for commom case.
Use individual IAM user.
Use MFA for Every IAM user include root account.
Use Role not accesskey.
Separate VPC for ENV such as dev, staing, production.
Separate private and public subnets on VPC.
Use individual routing tables for private and public subnets on VPC. (NAT Gateway, Internet Gateway)
Internet traffic from AWS private subnet : EC2(Private Subnet) -> NAT Gateway (Public Subnet)
Internet traffic from AWS public subnet : Intert Gateway -> ELB(Public Subnet) -> EC2(Private Subnet)
Using AWS internal traffic routing such as s3-endpoint, internal-alb and internal DNS.
Locate the EC2, RDS, Cache on private subnet and Internet-facing ELB and bastion host ar only on Public Subnet.
Open SG rule only from SG on AWS internal traffic if you can. (ex. ELB SG -> EC2 SG)
Use non-default port for application.
Use ELB by rule set based routing.
Use Savings Plans and Rightsizing recommendations.
Use EBS GP3 volumes not GP2.

 

 

- Good for High Availability

Using rds writer,reader endpoint not instance endpoint.
Using Multi AZ for every AWS resources such Subnet, Nat GW, RDS, EC2, ECS and so on.