AWSARE.com
awsare checklist awsare checklist details
  ** Billing & Acct Governance  **    
Will more than one AWS master account be necessary?
  Customers utilize multiple AWS accounts for different reasons, including security segregation and increased billing or charge back granularity. Consolidated billing accounts can be used to aggregate billing from multiple accounts; however, this approach increases the administrative overhead associated with managing and sharing resources across multiple accounts.

 
What is the purpose of each account and how will they be linked?  
  Organizations can simplify the use of multiple accounts, by leveraging a single, consolidated billing account for billing purposes and sub or linked accounts for consuming AWS resources. Sub accounts can then be used for different purposes such as the separation of dev/test/prod or for the creation of completely separate environments for various business units or customers.
 
Has your organization requested consolidated or invoice billing?  
  Consolidated billing allows customers to receive a single bill for multiple AWS accounts and to potentially lower costs by rolling up usage across these accounts. Invoice billing allows AWS customers to receive their AWS bills through invoices rather than on a corporate or personal credit card.
 
What form of charge-back is required and how will chargeback rates or bills be calculated?  
  AWS provides programmatic access to monthly and detailed (hourly) billing data as well as the ability for more granular cost tracking through cost allocation and tagging.  Tags can be used to represent your business dimensions (e.g. cost centers, application owners) to organize and track your costs. AWS generates a Cost Allocation Report with the total charges on a downloadable comma-separated value (CSV file) report.
 
What billing optimization steps will be taken?  
  Customers can optimize their costs on AWS by choosing appropriate instance sizes, automating their environments to scale up or down depending on utilization or schedule, and leveraging the most appropriate pricing model (on demand, reserved, or spot instances).
 
How will the organization leverage reserved or spot instances?  
  Please see the Amazon EC2 Instance Purchasing Options website for descriptions and recommendations associated with each purchasing option.
 
Has your organization set up billing alerts?  
  Customers can choose to receive alerts either via email or SMS text message when charges exceed their expected thresholds. These alerts are triggered through Amazon CloudWatch alarms and are sent using Amazon Simple Notification Service (SNS).
 
     

    ** Security & Access Management  **  
How will your administrators, systems, or applications authenticate their AWS infrastructure requests to AWS APIs?
  AWS provides a number of authentication mechanisms including a console, account IDs and secret keys, X.509 certificates, and MFA devices to control access to AWS APIs. Console authentication is the most appropriate for administrative or manual activities, account IDs and secret keys for accessing REST-based interfaces or tools, and X.509 certificates for SOAP-based interfaces and tools. Your organization should consider the circumstances under which it will leverage access keys, x.509 certificates, console passwords, or MFA devices.
Has your organization established internal credential management policies and procedures for creating, distributing, rotating, and revoking AWS access credentials?
  Incorporating AWS access credentials into an organization’s existing internal credential management policies and procedures is an important and typically straightforward exercise for our customers.
Is your organization leveraging IAM users and/or tokens?
AWS recommends leveraging AWS Identity and Access Management credentials with internal security processes and controls for controlling unique, role-based, least privilege access to AWS APIs.
How will your organization manage application AWS credentials?
Organizations often find it difficult to implement security best practices for AWS key rotation. When rotating AWS keys, every copy of the old AWS access key needs to be changed. Key rotation must also be done securely, which can be a challenge when managing large application fleets. Consider using IAM Roles for EC2 instances or another third-party or custom key management solutions as opposed to embedding credentials in Amazon Machine Images. Make sure your organization intentionally incorporates the management of these credentials in their image and instance configuration management processes.
Has your organization segregated IAM administrative privileges from regular user privileges?
AWS recommends that organizations segregate security credential administration from standard administrative privileges by creating an IAM administrative role and restricting IAM actions from other compute, storage, and networking roles.

  ** Asset Management  **  
Is your organization leveraging AWS provided instance and service specific metadata as part of its asset management strategy?  
  AWS provides out-of-the-box metadata for each of its services to help your organization identify, track, and manage your AWS resources. Customers can leverage this metadata to track Amazon EC2 instances or storage by server image (AMI), operating system, compute architecture (32-bit or 64-bit), volume id, snapshot, attached storage, and many other categories.
 
Is your organization leveraging custom resource tags to track and identify AWS resources?  
  In addition to the out-of-the-box metadata, AWS allows customers to apply their own custom tags. Resources could be tagged by support team, application version, cost center, environment type, lifecycle status or any other category that will help your organization more effectively manage its AWS resource assets.
 
Does your organization have a resource tagging strategy?  
  Although AWS supports ad hoc resource tagging, an organization will get the most benefit from tagging if they strategically plan for the intentional and systematic use of resource tags.
 
How will AWS assets be integrated with internal asset management systems?  
  AWS resources can be programmatically or manually queried to easily pull service and resource metadata into existing asset management systems and processes.
 
     

  ** Configuration & Change Management **    
How will your organization manage server images (AMIs)?  
  Server images must be periodically updated with patches and software updates. AWS provides a number of tools that can be incorporated in your organization’s image management processes to assist in the creation and management of AWS images.
 
Will instances be automatically configured at launch or manually configured later?  
  Automating instance configuration on boot, by passing user-data to the instance on boot or embedding change and configuration management agents in a server image, allows instances and applications to take advantage of instance meta-data,112 cloud automation,113 scaling, and high-availability capabilities.
 
How will OS credentials be instrumented and controlled when instances are launched or terminated?  
  Typically, organizations preconfigure their server images to automatically connect and register with corporate LDAP or Active Directory domains when they are launched to provide centralized OS credentials management and control.
 
How will patches and upgrades be applied?  
  Organizations take different patch and upgrade management approaches depending on their application’s characteristics and requirements. Updates can be applied to existing instances using traditional software deployment tools or by replacing outdated software running on older instances with newer, patched, and upgraded server images.
 
Will applications be managed as homogeneous fleets?  
  Managing applications as homogeneous fleets allows infrastructure to be dynamically and automatically provisioned or released based on predictable utilization patterns.
 
How will your organization manage changes to OS hardening baselines, configure security groups or OS firewalls, and monitor their instances for intrusions or unauthorized changes?  
  Most organizations already have existing internal IT change and configuration management processes and tools that can incorporate AWS related changes with minimal modification.
 
     

  ** Release & Deployment Management **  
What software release and deployment process or methodology will your organization leverage?  
  Organizations have full control over their software release and deployment processes. Some organizations utilize traditional release and deployment processes that deploy approved releases from a controlled software repository to existing servers. Other organizations bundle, promote, and release complete software stacks incorporating applications and server images combined throughout the development lifecycle.
 
Will newer versions of an application be phased-in to existing server farms and older versions phased-out?  
  AWS provides organizations with the opportunity to implement new, shorter maintenance window deployment models by quickly and cheaply spinning up new application versions to gradually replace older instances over time.
 
Will weighted load distribution patterns be used to intentionally deploy, test, migrate, and roll-out or roll-back new application releases?  
  Just as AWS enables organizations to take advantage of new deployment models, these same models can also be used as part of testing, migration, or roll-back processes to more quickly and seamlessly support release and deployment processes.
 
How can your organization leverage infrastructure bootstrapping and application deployment tools to more quickly and effectively introduce or roll-back changes?  
  Releasing and deploying applications on AWS provides organizations with an opportunity to reevaluate its existing processes to determine where they can improve efficiencies through cloud-friendly change, configuration, release, and deployment automation.
 
How can your organization make its applications more infrastructure-aware so applications can become active participants in making the infrastructure changes required to support a specific software release or deployment?  
  Traditional applications are dependent on coordination with completely independent infrastructure management teams and change control processes. Often, a deployment weekend consists of separate, coordinated infrastructure changes. After deployment, the infrastructure will ideally remain static until the next change weekend. With AWS, applications now have the option of initiating and automating infrastructure changes either during scheduled deployments or automatically in response to changing user demands on the application. When releasing and deploying applications on AWS, organizations should at least consider how actively the application should be able to participate in the process of ensuring the infrastructure is deployed and configured to best support its business functions.
 
     
AWSARE