There’s a heap of Best Practice around workloads online and in AWS, and here’s some of my current thoughts as at December 2020 – your mileage may vary, caveat emptor, no warranty expressed or implied, and you may have use-cases that justify something different:
| Pattern | Recommendation | Rationale |
| Multi-AZ VPC | Design Address space for 4 AZs | In an AZ outage, having just one AZ remaining to satisfy demand during a rush is not enough; using contiguous address space and CIDR masks means after 2, we have 4 |
| VPC DNSSEC validation | Enable for VPC Validation, but be ready for external zones to stuff up their DNSSEC keys | Failing closed maybe better than failing open; but new failure modes need to be understood. |
| Route53 Hosted Zone DNSSEC | Hold off until current issues are resolved if you use CloudFront | New service, new failure modes. |
| TLS | 1.2 and above only | Older versions are now already removed from many clients; be ready for TLS 1.3 and above only |
| VPC IPv6 | Enable for all subnets | 33% of traffic worldwide is now IPv6; your external interface (ALB/NLB) should all be dual stack now as a minimum. Don’t forget your AAAA Alias DNS records. |
| VPC External EGRESS for private subnets | Minimise, avoid if possible. | You shouldn’t have any boot time or runtime dependencies – apart form the outbound integrations you are explicitly creating. Use ENDPOINTS for S3 and other services. Minimise Internet transit. |
| CloudFront IPv6 | Enable for all distributions | As above; particularly if your origin is only on IPv4; Don’t forget your AAAA Alias DNS records. |
| HTTP interfaces | Only for the APEX of the domain if you think people will type your address by hand into a browser; for all other services, do not listen on port 80 HTTP | Avoid convenience redirects, they are a point of weakness. Use HTTPS for everything, including internal services. |
| ACM Public TLS Certificates | Use DNS validation, and leave validation in place for subsequent reissue | Remove the manual work in renewing and redeploying certificates. |
| S3 Block Public Access | Do this for every bucket, and if possible, Account-wide AS WELL. | Two levels of this in case you have to disable account-wide in future. |
| S3 Website public (anonymous) hosting | Do not use; look at CloudFront with Origin Access Identity | You can’t get a custom certificate nor control TLS on S3. But beware default document handling and other issues. |
| S3 Access Logging | Enable, but set a retention policy in the S3 Bucket | No logs means no evidence when investigating issues. |
| CloudFront Access Logging | Enable, but set a retention policy in the S3 Bucket | No logs means no evidence when investigating issues. |
| VPC Flow Logs | Enable for all, but set a retention policy in the CloudWatch Log | No logs means no evidence when investigating issues. |
| Database | Use RDS or Aurora wherever possible | Less operational overhead |
| RDS Maintenance; Minor versions | Always adopt latest minor version pro-actively, from Dev through to Prod | Don’t wait for Auto graduand to happen; that’s typically on decommission of the version being available. |
| RDS Maintenance: Major Versions | After testing, move up to latest Major version | Avoid being on a decommissioned major version; the enforced upgrade jump may be a bigger jump forward than your application can support. |
| RDS Encrypt in flight | Enforce | Ensure privacy of the credentials for connection regardless of where the client it. Don’t assume the client config to use encryption is correct |
| RDS Encryption in flight | Validate | Get the RDS CA certificate(s) in your trust path during application build time. Always automate brining them in (and validate and log where you get these from). |
| RDS Encryption at rest | Enable | KMS is fine. Use a dedicated key for important workloads (and don’t share the key with other accounts). |
| DNS Records | Always publish a CAA and SPF record, even for parked domains | Protect risk and reputation |
| HTTP Security Headers | Validate on SecurityHeaders, Hardenize, SSLLabs, Mozilla Observatory, and Google Lighthouse (and possibly more). | This is an entire lesson, but an A will get you in good stead. |
| HTTP Security Headers: HSTS | Enforce HSTS for a year | We’re never going back to unencrypted HTTP |
| Public CDNs for libraries in major projects | Avoid; host your own assets. | Remove external dependencies |