2.10 Amazon EC2 Best Practices

Security

• Manage access to AWS resources and APIs using identity federation, IAM users, and IAM roles.

• Implement the least permissive rules for your security group.

• Regularly patch, update, and secure the operating system and applications on your instance.

• Launch your instances into a VPC instead of EC2-Classic (If aws account is newly created VPC is used by default)
• Establish credential management policies and procedures for creating, distributing, rotating, and revoking AWS access credentials
• Disable password-based logins for instances launched from your AMI.

Storage

• Understand the implications of the root device type for data persistence, backup, and recovery.

  • Data on any other EBS volumes persists after instance termination by default

• Use separate Amazon EBS volumes for the operating system versus your data.

  • Ensure that the volume with your data persists after instance termination.

• Use the instance store available for your instance to store temporary data.

  • Remember that the data stored in instance store is deleted when you stop, hibernate, or terminate your instance.

  • If you use instance store for database storage, ensure that you have a cluster with a replication factor that ensures fault tolerance.

• Encrypt EBS volumes and snapshots. 

Resource management

• Use instance metadata and custom resource tags to track and identify your AWS resources. 

• View your current limits for Amazon EC2. Plan to request any limit increases in advance of the time that you'll need them.

Backup and recovery

• Regularly back up your EBS volumes using Amazon EBS snapshots, and create an  Amazon Machine Image (AMI) from your instance to save the configuration as a template for launching future instances.

• Data Lifecycle Manager (DLM) to automate the creation, retention, and deletion of snapshots taken to back up the EBS volumes

• Deploy critical components of your application across multiple Availability Zones, and replicate your data appropriately.

• Design your applications to handle dynamic IP addressing when your instance restarts. 

• Monitor and respond to events.

• Ensure that you are prepared to handle failover.

  • For a basic solution, you can manually attach a network interface or Elastic IP address to a replacement instance.

  •  For an automated solution, you can use Amazon EC2 Auto Scaling. 

• Regularly test the process of recovering your instances and Amazon EBS volumes if they fail.

Networking

• Set the time-to-live (TTL) value for your applications to 255, for IPv4 and IPv6. If you use a smaller value, there is a risk that the TTL will expire while application traffic is in transit, causing reachability issues for your instances.