Last month I got the bill of 60 USD dollars for the usage of the AWS account. It was too much for my small experiments and blogs articles. That is why I decided to write this checklist about securing your account and making the expenses manageable for your account. As a bonus, I made a CDK project for deploying the billing alarm in the last chapter of this article.
The steps are:
- Add MFA
- Create admin user
- Renew CLI access credentials
- Double-check all regions for resources
- Setup billing alert (cdk project in this guide)
Passwords are already not helping with account protection. So, having one more authentication method will prevent it from being hacked. My preferred way is to use 1Password. It has built-in support for one-time codes. I found it handy when once a phone has stayed at home during my day in coworking. The 1Password application was running on my laptop with the MFA connected to the AWS account. It saved my day.
There is a temptation to skip tedious user setup on a freshly created AWS account. The one wants to start using the cloud as fast as possible. I was in that situation. However, it is considered a bad practice to manage the resources from the root user.
If a hacker gets account access, it will be a real issue. Somebody will have the ability to mine cryptocurrency with the EC2 instances. So, to avoid this issue - create a separate user with Console and programmatic access who has the AdministratorAccess role. Do not forget to add MFA to this account also.
I had credentials for CLI access created more than 365 days ago. It is a security risk also. The main idea here is to refresh them not tomorrow but today. Also, do not expose access key ID and secret access key, especially when committing to GitHub.
There can be a situation when some costs are always in the bill. It means that something is still eating the budget. The most dangerous AWS services in terms of costs are VPC, ECS, and EC2. These have a pay-as-you-go model.
It means that every instance of EC2 has billing in seconds. Another trick is that the ECS cluster with Fargate services running will have costs. For example, it is a Java Spring app with logging every second. Fargate is a serverless way of running containers, which does not have a hefty invoice at the end of the month. Logging will require spinning up the service over and over again to infinity. That is what happened to me when I got the bill.
Billing issues are the motivation for this article, as one could guess. That is why I am suggesting setting up a billing alarm. It will send the notification to the email when the threshold crosses the desired amount in USD. For my case, I took 5 dollars.
I have created a small CDK project for that. One could find it on GitHub here. What are we doing here? The billing alarm will have a metric for the
EstimatedCharges. It will notify SNS topic with an email subscription. The best part of this is that the project is entirely serverless. It will cost you nothing for the timebeing.
There are several steps to achieve a calm mind regarding your expenses in the cloud:
- Set email with SSM, like:
aws ssm put-parameter --name "/billing/email" --type "String" --value "<your email>" --profile <if you are using it>
- Clone the repo and install dependencies (in Linux/macOS case)
git clone https://github.com/Grenguar/cdk-billing-alert.git cd cdk-billing-alert cd infra npm i
- If you want to change the threshold, do it in the
infra/bin/infra.tsfile. There is a parameter called
- Do the deployment:
npx cdk deploy --profile <if you are using it>
Here is the result in the CloudWatch -> Alarms -> All alarms.
Of course, these actions are not giving 100% protection from hackers or unexpected bills. However, the chance of getting strange news from AWS about your cloud resources decreases with every completed point from this checklist. Do you have any actions of improving the security and stabilizing your bill with AWS?