Security
-
Manage access to AWS resources and APIs using identity federation, IAM users, and IAM roles.
-
Implement the least permissive rules for your security group.
-
Regularly patch, update, and secure the operating system and applications on your instance.
- Launch your instances into a VPC instead of EC2-Classic (If aws account is newly created VPC is used by default)
- Establish credential management policies and procedures for creating, distributing, rotating, and revoking AWS access credentials
- Disable password-based logins for instances launched from your AMI.
Storage
-
Understand the implications of the root device type for data persistence, backup, and recovery.
-
Data on any other EBS volumes persists after instance termination by default
-
-
Use separate Amazon EBS volumes for the operating system versus your data.
-
Ensure that the volume with your data persists after instance termination.
-
-
Use the instance store available for your instance to store temporary data.
-
Remember that the data stored in instance store is deleted when you stop, hibernate, or terminate your instance.
-
If you use instance store for database storage, ensure that you have a cluster with a replication factor that ensures fault tolerance.
-
-
Encrypt EBS volumes and snapshots.
Resource management
-
Use instance metadata and custom resource tags to track and identify your AWS resources.
-
View your current limits for Amazon EC2. Plan to request any limit increases in advance of the time that you'll need them.
Backup and recovery
-
Regularly back up your EBS volumes using Amazon EBS snapshots, and create an Amazon Machine Image (AMI) from your instance to save the configuration as a template for launching future instances.
- Data Lifecycle Manager (DLM) to automate the creation, retention, and deletion of snapshots taken to back up the EBS volumes
-
Deploy critical components of your application across multiple Availability Zones, and replicate your data appropriately.
-
Design your applications to handle dynamic IP addressing when your instance restarts.
-
Monitor and respond to events.
-
Ensure that you are prepared to handle failover.
-
For a basic solution, you can manually attach a network interface or Elastic IP address to a replacement instance.
-
For an automated solution, you can use Amazon EC2 Auto Scaling.
-
-
Regularly test the process of recovering your instances and Amazon EBS volumes if they fail.
Networking
-
Set the time-to-live (TTL) value for your applications to 255, for IPv4 and IPv6. If you use a smaller value, there is a risk that the TTL will expire while application traffic is in transit, causing reachability issues for your instances.