Security Best Practices of AWS Accounts

In this article, we are going to talk about Security Best Practices of AWS Accounts when developing Serverless E-Commerce application.

https://trailhead.salesforce.com/en/content/learn/modules/aws-identity-and-access-management/set-iam-policies

We will see the way of Improving the security of your AWS account.

Step by Step Design AWS Architectures w/ Course

I have just published a new course — AWS Serverless Microservices with Patterns & Best Practices.

In this course, we’re going to learn how to Design and Develop AWS Serverless Event-driven Microservices with using AWS Lambda, AWS DynamoDB, AWS API Gateway, AWS EventBridge, AWS SQS, AWS CDK for IaCInfrastructure as Code tool and AWS CloudWatch for monitoring.

Source Code

Get the Source Code from Serverless Microservices GitHub — Clone or fork this repository, if you like don’t forget the star. If you find or ask anything you can directly open issue on repository.

AWS IAM Users

When we have activated your AWS account and login the AWS console, we have login with Root user account.

But AWS has 2 main user type when login the AWS Management Console

  • AWS Root User Account
  • AWS IAM User Account

AWS Root User Account

As you guest that AWS root user account is the only one user that has full power of your AWS account and it has un-restricted access over to your AWS cloud account.
That means its really dangerous to use this root account for daily usage of your AWS cloud infrastructure.

AWS IAM User Account

Another type of user account is “AWS IAM User Account”. You can think this is sub-users under the root user account and you can define policies over this account and able to restrict over to your AWS cloud account.
That means “AWS IAM User Account” can create and restrict by your root account.

Create IAM User Account and Configure for Programmatic and Console Access

And Creating IAM User Account is the best practice to follow when you first active your AWS account.
After active our account, We have got only a AWS root user, and the first thing We should do create “IAM User” under root account and use this “IAM User” for our daily usage of AWS console.
Even you have the only one user to use AWS account creating a dedicating user account is one of the first thing the we should do after active our AWS account. This is the security best practices that we should follow.

So we should create user-specific IAM User accounts under root user that they have own login and passwords.

https://trailhead.salesforce.com/en/content/learn/modules/aws-identity-and-access-management/set-iam-policies

Because root account has power of full access that can change your payment information changing your password removing users and lots of dangerous things.

AWS Console Sign-in Page

If you open to sign-in console page, You will see the option of

  • Root User
  • IAM User

IAM stands for Identity and Access Management (IAM) and as the name suggest its managing identity and access of AWS resources. We are going to create our IAM User, give required permissions and login with IAM User.

But before that I would like to share you other security best practices that you should consider about AWS accounts.

As you know that we have followed this steps
https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/

At the end of the page, you can see the part of ;

Improving the security of your AWS account
To help secure your AWS resources, see Security best practices in AWS Identity and Access Management (IAM).

If you go to this link :
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#delegate-using-roles

Security best practices in IAM

In this page you can see lots of security best practices that's very important to follow for the AWS accounts.

For example;

  • Lock away your AWS account root user access keys
  • Grant least privilege
  • Get started using permissions with AWS managed policies
  • Use access levels to review IAM permissions
  • Remove unnecessary credentials
    and so on..

But For our application, its enough to create “IAM User” under the root user.
We will create “IAM User” and follow the course with “IAM User”.

Programmatic and Console Access

When creating user-specific AWS account We should Define Programmatic and Console Access.

Also Programmatic access is required for our Serverless E-commerce application, because we will use all interactions with AWS resources like AWS Console, AWS CLI, AWS CDK and AWS SDK.

AWS Serverless Microservices for Ecommerce Application Architecture

Here, you can find the main overall Serverless Architecture for our application that we will follow these steps and build tihs Serverless E-Commerce Microservices Architecture.

This is the big picture of what we are going to develop together for AWS Serverless Event-driven E-commerce Microservices application that is Step by Step Implementation together.

Serverless Event-driven E-commerce Microservices Architecture

We have followed the reference architecture above which is a real-world serverless e-commerce application and it includes;

  • REST API and CRUD endpoints with using AWS Lambda, API Gateway
  • Data persistence with using AWS DynamoDB
  • Decouple microservices with events using AWS EventBridge
  • Message Queues for cross-service communication using AWS SQS
  • Cloud stack development with IaC using AWS CloudFormation CDK

Step by Step Design AWS Architectures w/ Course

I have just published a new course — AWS Serverless Microservices with Patterns & Best Practices.

In this course, we’re going to learn how to Design and Develop AWS Serverless Event-driven Microservices with using AWS Lambda, AWS DynamoDB, AWS API Gateway, AWS EventBridge, AWS SQS, AWS CDK for IaCInfrastructure as Code tool and AWS CloudWatch for monitoring.

Source Code

Get the Source Code from Serverless Microservices GitHub — Clone or fork this repository, if you like don’t forget the star. If you find or ask anything you can directly open issue on repository.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mehmet Ozkaya

Mehmet Ozkaya

Software/Solutions Architect, Udemy Instructor, Working on Cloud-Native and Serverless Event-driven Microservices Architectures https://github.com/mehmetozkaya