DEV Community

Cover image for Checklist for securing the usage of AWS account from unexpected events
Igor Soroka for AWS Community Builders

Posted on • Originally published at blog.soroka.tech

Checklist for securing the usage of AWS account from unexpected events

Last month I got the bill of 60 USD dollars for the usage of the AWS account. It was too much for my small experiments and blogs articles. That is why I decided to write this checklist about securing your account and making the expenses manageable for your account. As a bonus, I made a CDK project for deploying the billing alarm in the last chapter of this article.

The steps are:

  • Add MFA
  • Create admin user
  • Renew CLI access credentials
  • Double-check all regions for resources
  • Setup billing alert (cdk project in this guide)

Add MFA on root user

Passwords are already not helping with account protection. So, having one more authentication method will prevent it from being hacked. My preferred way is to use 1Password. It has built-in support for one-time codes. I found it handy when once a phone has stayed at home during my day in coworking. The 1Password application was running on my laptop with the MFA connected to the AWS account. It saved my day.

Separate user with AdministratorAccess

There is a temptation to skip tedious user setup on a freshly created AWS account. The one wants to start using the cloud as fast as possible. I was in that situation. However, it is considered a bad practice to manage the resources from the root user.

If a hacker gets account access, it will be a real issue. Somebody will have the ability to mine cryptocurrency with the EC2 instances. So, to avoid this issue - create a separate user with Console and programmatic access who has the AdministratorAccess role. Do not forget to add MFA to this account also.

Re-new programmatic access

I had credentials for CLI access created more than 365 days ago. It is a security risk also. The main idea here is to refresh them not tomorrow but today. Also, do not expose access key ID and secret access key, especially when committing to GitHub.

Double-check all regions for resources

There can be a situation when some costs are always in the bill. It means that something is still eating the budget. The most dangerous AWS services in terms of costs are VPC, ECS, and EC2. These have a pay-as-you-go model.

It means that every instance of EC2 has billing in seconds. Another trick is that the ECS cluster with Fargate services running will have costs. For example, it is a Java Spring app with logging every second. Fargate is a serverless way of running containers, which does not have a hefty invoice at the end of the month. Logging will require spinning up the service over and over again to infinity. That is what happened to me when I got the bill.

Setup a billing alert

Billing issues are the motivation for this article, as one could guess. That is why I am suggesting setting up a billing alarm. It will send the notification to the email when the threshold crosses the desired amount in USD. For my case, I took 5 dollars.

I have created a small CDK project for that. One could find it on GitHub here. What are we doing here? The billing alarm will have a metric for the EstimatedCharges. It will notify SNS topic with an email subscription. The best part of this is that the project is entirely serverless. It will cost you nothing for the timebeing.

There are several steps to achieve a calm mind regarding your expenses in the cloud:

  1. Set email with SSM, like:
aws ssm put-parameter --name "/billing/email" --type "String" --value "<your email>" --profile <if you are using it>
Enter fullscreen mode Exit fullscreen mode
  1. Clone the repo and install dependencies (in Linux/macOS case)
git clone https://github.com/Grenguar/cdk-billing-alert.git
cd cdk-billing-alert
cd infra
npm i
Enter fullscreen mode Exit fullscreen mode
  1. If you want to change the threshold, do it in the infra/bin/infra.ts file. There is a parameter called monetaryLimit
  2. Do the deployment:
npx cdk deploy --profile <if you are using it>
Enter fullscreen mode Exit fullscreen mode

Here is the result in the CloudWatch -> Alarms -> All alarms.

Billing alert demo


Of course, these actions are not giving 100% protection from hackers or unexpected bills. However, the chance of getting strange news from AWS about your cloud resources decreases with every completed point from this checklist. Do you have any actions of improving the security and stabilizing your bill with AWS?

Discussion (0)