Cloud computing has completely changed the landscape of IT services. It has altered the way organizations do business and how IT pros do their jobs. From its origins, where it was perceived as mainly a system to store data, the cloud has evolved into a multifaceted digital ecosystem affecting companies big and small.
Amazon Web Services (AWS) is the leading provider of cloud-computing services across the globe. AWS provides IT infrastructure services to websites, client-side applications, and various other businesses in the form of cloud computing.
AWS offers a long list of services in the IT field, including networking, computing, content, databases, analytics, deployment, management, and security. Thanks to the benefits of cloud computing and the growing need and demand for cloud services, businesses have flocked to AWS, which commands a hefty market share over nearest competitors Microsoft, IBM, and Google.
Although using AWS services can increase productivity and address several business-related issues, real-world usage of AWS doesn’t always portray a pretty picture. Even a small human error or a misconfiguration can have a deadly impact on a company, its business, and its confidentiality.
Keeping all this in mind, here are some of the most common mistakes and misconfigurations in AWS you should avoid:
Managing infrastructure manually
The most common AWS mistake is managing infrastructure manually. Often, developers set up AWS by using the web-based management console to manually create the resources. The biggest problem with this approach is that all actions done in this way are not reproducible, making it very difficult to trace damaged or malfunctioning resources in case of an issue. Documentation is yet another important aspect in managing the infrastructure of AWS, which could possibly end up in several mistakes if done manually.
AWS CloudFormation is one of the best alternatives for manual infrastructure maintenance, and it can solve solve most issues for free. CloudFormation provides customers with all the right set of tools to automatically manage the infrastructure. Instead of creating resources like EC2 instances, snapshots, security groups, and subnets manually every time, you just need to describe them in a template. A template in AWS is a JavaScript Object notation known as JSON file, which needs to be scripted only once.
When a template (JSON file) is submitted to an AWS service, CloudFormation automatically creates all the required resources in the customer’s account, building a running instance of the template. This running instance in AWS is called a stack. CloudFormation also allows you to make modifications to the template to make changes to any running stack. Due to the scripted templates, CloudFormation makes it very easy to trace down an issue in case something goes wrong in the running stack.
AWS CloudFormation supports a wide range of AWS resources and comes with an easy to use drag-and-drop interface.We recommend you stop managing your infrastructure manually and start using automated services.
Lack of security
AWS users sometimes misconfigure their system’s infrastructure, leaving it with several security flaws and vulnerabilities. These configuration flaws result in various loopholes in the system, causing various security threats.
Hard-coding credentials into the source code of applications is another common security blunder in AWS. Hard-coded AWS keys are being exposed publicly over several years. All AWS security keys, user credentials, and passwords must be regularly changed to curb intruders’ access to your system, thereby safeguarding your AWS data.
In addition to that, some organizations overlook the need of enabling encryptions in their AWS infrastructures. Encryption is essential in the creation of Relational Database Service (RDS) instances, Elastic Block Storage (EBS), and all the data in S3. Proper encryption standards must be configured to keep your systems safe. In fact, a misconfigured encryption can be equally as disastrous as having no encryption.
Giving unnecessary higher privileges
Controlling access keys and user privileges plays a vital role in AWS and its security. Often, developers and analysts are given admin privileges to reduce the work of the administrative department. But it is strongly advised to avoid providing unnecessary broader roles and higher privileges to most employees.
System administrators must be limited to a certain number based on the organization. Not everyone needs to have admin rights. It’s the duty of system administrators to maintain the integrity of the system and apply proper policies to reduce the risk of security attacks. System admins also need to check all the user privileges at regular intervals.
Having a large number of powerful users with all the admin rights can also lead to several conflicts, which can hinder business flow. To avoid these unnecessary issues, AWS launched a web service called AWS Identity and Access Management (IAM). IAM makes it easy for admins to manage the roles and permissions of their users. This service is especially important for businesses involving multiple users using AWS services such as EC2, AWS management console, and SimpleDB. Other features of IAM are granular permissions, shared access to AWS accounts, identity federation, and consistency in providing privileges.
Stacking stale resources
Be it AWS or any other cloud-based service, stacking up stale resources can turn into one of the worst nightmares for management. AWS charges its users based on the usage of resources. However, the term “usage” here doesn’t necessarily mean you use the resources. Although EBS volumes are charged based on the provisioned storage, even the unused but stored EBS volumes can easily lead to higher bills and performance issues in the system. It is advised to keep only the minimum required volumes that will be needed in the immediate future.
Similarly, keeping your EC2 security groups clean eliminates the risk of implementing an unauthorized security group policy. We often came across instances where novice AWS users mistakenly launched EC2 instances using outdated security groups. These antiquated security groups are highly vulnerable to attacks and often leads to various incidents. Therefore, regularly monitor and remove all the unnecessary resources and EC2 security groups.
Ignoring logs
Having proper logging of all the actions performed is essential, irrespective of what application you are using. This seemingly minor measure of maintaining logs can be very helpful in recovering from system crashes and are vital in tracking the system’s metrics. Tools such as AWS CloudTrail can be handy in maintaining logs and also track of all the API calls made from the console. Although CloudTrail or any other similar monitoring application does the task of storing all your logs, you need to make sure that these services are always enabled and are running properly on your systems.
Using too many instances
Choosing the right instances for your AWS system is a fundamental decision one needs to confront. How many instances to choose? What’s the right size for an instance? How to keep track of all the instances? All these are basic yet vital decisions to be made. One definitely needs resources to run the systems, but using oversized or too many instances, or leaving your instances idle, can cost you a lot of money. So use your resources wisely.
Similarly, having EBS snapshots is essential in the recovery process in case of system failures. Snapshots are incremental backups, which store blocks of data on the device. But taking too many snapshots can also result in unnecessarily higher bills. Therefore, EBS snapshots should be saved in moderation to avoid any unexpected increase in the storage costs. One best practice is to have snapshots retention strategy using Amazon S3 lifecycle rules.
Using Amazon CloudWatch for monitoring system metrics and using AWS trusted advisor for best policies can turn out to be highly beneficial in maintaining AWS systems.
Now that you are familiar with some of the most frequently made mistakes in AWS, make sure you avoid them. Most of these misconfigurations are not difficult to fix. But if they are ignored, the repercussions can be deadly for your organization.
Photo credit: Flickr/Vaquero Francis
