Current AWS Workload recommendations December 2020

There’s a heap of Best Practice around workloads online and in AWS, and here’s some of my current thoughts as at December 2020 – your mileage may vary, caveat emptor, no warranty expressed or implied, and you may have use-cases that justify something different:

PatternRecommendationRationale
Multi-AZ VPCDesign Address space for 4 AZsIn an AZ outage, having just one AZ remaining to satisfy demand during a rush is not enough; using contiguous address space and CIDR masks means after 2, we have 4
VPC DNSSEC validationEnable for VPC Validation, but be ready for external zones to stuff up their DNSSEC keysFailing closed maybe better than failing open; but new failure modes need to be understood.
Route53 Hosted Zone DNSSECHold off until current issues are resolved if you use CloudFrontNew service, new failure modes.
TLS1.2 and above onlyOlder versions are now already removed from many clients; be ready for TLS 1.3 and above only
VPC IPv6Enable for all subnets33% of traffic worldwide is now IPv6; your external interface (ALB/NLB) should all be dual stack now as a minimum. Don’t forget your AAAA Alias DNS records.
VPC External EGRESS for private subnetsMinimise, avoid if possible.You shouldn’t have any boot time or runtime dependencies – apart form the outbound integrations you are explicitly creating. Use ENDPOINTS for S3 and other services. Minimise Internet transit.
CloudFront IPv6Enable for all distributionsAs above; particularly if your origin is only on IPv4; Don’t forget your AAAA Alias DNS records.
HTTP interfacesOnly for the APEX of the domain if you think people will type your address by hand into a browser; for all other services, do not listen on port 80 HTTPAvoid convenience redirects, they are a point of weakness. Use HTTPS for everything, including internal services.
ACM Public TLS CertificatesUse DNS validation, and leave validation in place for subsequent reissueRemove the manual work in renewing and redeploying certificates.
S3 Block Public AccessDo this for every bucket, and if possible, Account-wide AS WELL.Two levels of this in case you have to disable account-wide in future.
S3 Website public (anonymous) hostingDo not use; look at CloudFront with Origin Access IdentityYou can’t get a custom certificate nor control TLS on S3. But beware default document handling and other issues.
S3 Access LoggingEnable, but set a retention policy in the S3 BucketNo logs means no evidence when investigating issues.
CloudFront Access LoggingEnable, but set a retention policy in the S3 BucketNo logs means no evidence when investigating issues.
VPC Flow LogsEnable for all, but set a retention policy in the CloudWatch LogNo logs means no evidence when investigating issues.
DatabaseUse RDS or Aurora wherever possible Less operational overhead
RDS Maintenance; Minor versionsAlways adopt latest minor version pro-actively, from Dev through to ProdDon’t wait for Auto graduand to happen; that’s typically on decommission of the version being available.
RDS Maintenance: Major VersionsAfter testing, move up to latest Major versionAvoid being on a decommissioned major version; the enforced upgrade jump may be a bigger jump forward than your application can support.
RDS Encrypt in flightEnforceEnsure privacy of the credentials for connection regardless of where the client it. Don’t assume the client config to use encryption is correct
RDS Encryption in flightValidateGet the RDS CA certificate(s) in your trust path during application build time. Always automate brining them in (and validate and log where you get these from).
RDS Encryption at restEnableKMS is fine. Use a dedicated key for important workloads (and don’t share the key with other accounts).
DNS RecordsAlways publish a CAA and SPF record, even for parked domainsProtect risk and reputation
HTTP Security HeadersValidate on SecurityHeaders, Hardenize, SSLLabs, Mozilla Observatory, and Google Lighthouse (and possibly more).This is an entire lesson, but an A will get you in good stead.
HTTP Security Headers: HSTSEnforce HSTS for a yearWe’re never going back to unencrypted HTTP
Public CDNs for libraries in major projectsAvoid; host your own assets.Remove external dependencies