NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now

AWS Knowledge Base

Cloud Security, Cost Optimization, Well-Architected Framework and More

The ultimate guide to AWS best practices and remediations for all cloud issues in Cost Optimization, Security, Reliability, Performance, and Operations and Fault Tolerance. Get step-by-step instructions on proven remediations and frameworks to keep your cloud running smoothly.

Cost Optimization

Optimize Your Cost by Scheduling Idle Resources

To reduce AWS monthly bill, there is another practice that a cloud admin can do to stop or terminate idle instances from the AWS account. There is a default way to find out whether EC2 instances that declare the instance is inactive or not. The CPU average is less than 2%, and the average network I/O has been less than 5MB since last week.

Learn More about Optimize Your Cost by Scheduling Idle Resources

What is Elastic Block Storage (EBS)

AWS EBS stands for Elastic block storage. EBS lets you store huge amounts of data of any kind i.e. Files system data, transactional Data, relational databases, etc. An EBS volume is like a hard drive attached to an EC2 instance. EBS provides high availability and durability, and is ideal for intensive applications.

Learn More about Monitoring Unattached EBS Volumes to follow best practices of FinOps

What is Elastic IP address

Elastic IP (EIP) is an IP address one can reserve for their AWS account. Static IP addresses by nature are associated to a particular machine. However, to keep-up with the dynamic needs of public cloud, users generally use Elastic IP addresses.These IP addresses are called ‘Elastic’ as they can be reassigned or remapped to another instanceas an organization keeps launching and terminating resources.

Check for any unattached Elastic IP (EIP) addresses in your AWS account and release (remove) them in order to lower the cost of your monthly AWS bill.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

Amazon Web Services enforce a small hourly charge if an Elastic IP (EIP) address within your account is not associated with a running EC2 instance or an Elastic Network Interface (ENI). nOps recommends releasing any unassociated EIPs that are no longer needed to reduce your AWS monthly costs.

Identify any Amazon EC2 instances that appear to be idle and stop or terminate them to help lower the cost of your monthly AWS bill. By default, an EC2 instance is considered ‘idle’ when meets the following criteria (to declare the instance ‘idle’ both conditions must be true):

  • The average CPU Utilisation has been less than 2% for the last 7 days.
  • The average Network I/O has been less than 5 MB for the last 7 days.

It is important that your EC2 instances are tagged with correct tags which provide visibility into their usage profile and help you decide whether it’s safe or not to stop or terminate these resources. For Example, knowing the role and the owner of an EC2 instance before you take the decision to stop/terminate it is very important and can avoid unwanted termination of actually used workloads.

This rule can help you with the following compliance standards:

This rule can also help you work with the AWS Well-Architected Framework.

Idle instances represent a good candidate to reduce your monthly AWS costs and avoid accumulating unnecessary EC2 usage charges.

EBS (Elastic Block Storage) volumes are attached to EC2 Instances as storage devices. Unused (Unattached) EBS Volumes can keep accruing costs even when their associated EC2 instances are no longer running.

This rule checks whether there are unused EBS Volumes in your AWS account. nOps recommends you consider deleting non-used EBS volumes to reduce your monthly AWS bills.

This rule can help you with the following:

Compliance frameworks report

  • SOC 2 Readiness Report 

AWS Well-Architected Lens

  • AWS Well-Architected Framework Lens

Security

When dealing with production data that is crucial to your business, it is highly recommended to implement encryption in order to protect it from attackers or unauthorised personnel. With Elastic Block Store encryption enabled, the data stored on the volume, the disk I/O and the snapshots created from the volume are all encrypted. The EBS encryption keys use AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure, through AWS Key Management Service (AWS KMS).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

When dealing with production data that is crucial to your business, it is highly recommended to implement encryption in order to protect it from attackers or unauthorised personnel. With Elastic Block Store encryption enabled, the data stored on the volume, the disk I/O and the snapshots created from the volume are all encrypted. The EBS encryption keys use AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure, through AWS Key Management Service (AWS KMS).

Ensure that all users with AWS Console access have Multi-Factor Authentication (MFA) enabled in order to secure your AWS environment and adhere to IAM security best practices.

This rule can help you with the following compliance standards:

This rule can also help you work with the AWS Well-Architected Framework

Having MFA-protected IAM users is the best way to protect your AWS resources and services against attackers. An MFA device signature adds an extra layer of protection on top of your existing IAM user credentials (username and password), making your AWS account virtually impossible to penetrate without the MFA generated passcode.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

Having an MFA-protected root account is the best way to protect your AWS resources and services against attackers. An MFA device signature adds an extra layer of protection on top of your existing root credentials making your AWS root account virtually impossible to penetrate without the MFA generated passcode.

This rule can help you with the following:

Compliance frameworks

  • SOC 2 Readiness Report
  • HIPAA Readiness Report
  • CIS Readiness Report

AWS Well-Architected Lens

  • AWS Well-Architected Framework Lens
  • FTR Lens

AWS S3 default encryption setting directs AWS to automatically encrypt your S3 data as it is stored in S3 buckets to prevent unauthorized attackers from accessing it.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

Reliability

 

Operations and Fault Tolerance

Performance