We use AWS Identity and Access Management (IAM) to provide user-specific, rather than shared credentials for making AWS infrastructure requests
We understand which of our instances is Amazon Elastic Block Store (Amazon EBS)backed versus instance store-backed, have intentionally chosen the most appropriate type of storage, and understand the implications to data persistence, backup and recovery
We understand AWS dynamic IP addressing and have ensured that our application will function when application components are restarted (e.g., using 3rd-party or Elastic Load Balancing, Amazon Virtual Private Cloud (Amazon VPC) static address assignments, elastic IP addresses, or dynamic DNS).
We use separate Amazon EBS volumes for the operating system and application/database data where appropriate.
We regularly back up our Amazon Elastic Compute Cloud (Amazon EC2) instances using Amazon EBS snapshots or another 3rd-party backup tool.
We regularly test our process of recovering our Amazon EC2 instances or Amazon EBS volumes when they fail, either through customized8 ”golden” Amazon Machine Images (AMIs), Amazon EBS snapshots, bootstrapping, or using our own backup and recovery tools.
We have deployed critical components of our applications across multiple availability zones, are appropriately replicating data between zones, and have tested how failure within these components affects application availability.
We understand how failover will occur across application components deployed in multiple availability zones and are using 3rd-party or Elastic Load Balancing and elastic IP addresses where appropriate.
We regularly test our process for patching, updating, and securing our Amazon EC2 operating system, applications, and customized AMIs.
We use appropriate operating system user account access credentials and are not sharing the AWS instance key pair private key with all systems administrators.
We have implemented secure Security Group rules and nested Security Groups to create a hierarchical network topology where appropriate.
We use “CNAME” records to map our DNS name to our Elastic Load Balancing or Amazon Simple Storage Service (Amazon S3) buckets and NOT “A” records.
Before sharing our customized Amazon Machine Images with others, we removed all confidential or sensitive information including embedded public/private instance key pairs and reviewed all SSH authorized_keys files.
We have fully tested our AWS-hosted application, including performance testing, prior to going live.
We have signed our production AWS accounts up for business or enterprise support and have a plan for incorporating AWS Trusted Advisor reports into our ongoing operational reviews.