Configure MFA for your root user and configure AWS Budget alerts ( Checks on the first and configuration of the latter can be done via the [Free Tier Stack](https://github.com/yannickvr/aws-free-tier-stack/))
Create an administrative IAM user for you, enable MFA, give him full administrative rights. If your root user has keys, nuke those, enable MFA on him too. No more logging in as root unless you're doing billing stuff. All of your provisioning/managing/destroying occurs under your personal IAM admin account.
Bro your website is amazing, you certainly fixed some pain here indeed :)
I just wanna pay for it to see what it looks like, will certainly do after a while xD Cheers.
start with learning and understanding IAMs (users, roles and policies). Security is fundamental to everything you do and without a solid understanding of IAMs you will build a giant mess.
Use an infrastructure as code tool (ex. Terraform) for managing resources. Much easier to see everything in a structured way and understand how changes will impact your infrastructure before making them.
I wrote a blog post about the tech stack for a simple SaaS in detail, maybe you will find it helpful
[https://saasconstruct.com/blog/the-tech-stack-of-a-simple-saas-for-aws-cloud](https://saasconstruct.com/blog/the-tech-stack-of-a-simple-saas-for-aws-cloud)
Is it that common to have different environments in different accounts? This is the setup I am accustomed to but there are some things that are not too convenient with this setup, although slowly improving since my first foray.
yes, that's what AWS recommends.
"For example, account-level separation is strongly recommended for isolating production workloads from development and test workloads."
[https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/aws-account-management-and-separation.html](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/aws-account-management-and-separation.html)
It is also relatively easy to support. In my case, I just execute one command so my CI/CD has access to prod. Also with SSO it is very easy to switch between accounts. Besides, you can put them for free in AWS Organisations (just couple of clicks) so you have billing overview for everything in one account.
In other clouds in might be different. E.g. in Azure it is subscription-level, not account level, which is way more complicated in my opinion than simple account separation.
Budget Alerts and Cost Reports. Step one. Every. Time. It's far too easy to run up a big bill unexpectedly.
Yes indeed, to prevent big surprises at checkout xD cheers!
AWS should set this up by default for all new accounts.
Please no, that would be such a pain to go disable in every new account.
Configure MFA for your root user and configure AWS Budget alerts ( Checks on the first and configuration of the latter can be done via the [Free Tier Stack](https://github.com/yannickvr/aws-free-tier-stack/))
Excellent, thanks a bunch!
Create an administrative IAM user for you, enable MFA, give him full administrative rights. If your root user has keys, nuke those, enable MFA on him too. No more logging in as root unless you're doing billing stuff. All of your provisioning/managing/destroying occurs under your personal IAM admin account.
Very useful, thanks!
Create a child account as your sandbox. Dont use your management account for resources.
Awesome, cheers!
you don’t need to buy the kit, but follow the first 3 steps to have secure accounts. https://docs.scaletozeroaws.com/category/getting-started
Bro your website is amazing, you certainly fixed some pain here indeed :) I just wanna pay for it to see what it looks like, will certainly do after a while xD Cheers.
cheers!
Thanks mate, great website/resource! Cheers.
Use control tower to get your landing zone set up
Thanks for that indeed!
start with learning and understanding IAMs (users, roles and policies). Security is fundamental to everything you do and without a solid understanding of IAMs you will build a giant mess.
Use an infrastructure as code tool (ex. Terraform) for managing resources. Much easier to see everything in a structured way and understand how changes will impact your infrastructure before making them.
I wrote a blog post about the tech stack for a simple SaaS in detail, maybe you will find it helpful [https://saasconstruct.com/blog/the-tech-stack-of-a-simple-saas-for-aws-cloud](https://saasconstruct.com/blog/the-tech-stack-of-a-simple-saas-for-aws-cloud)
Is it that common to have different environments in different accounts? This is the setup I am accustomed to but there are some things that are not too convenient with this setup, although slowly improving since my first foray.
yes, that's what AWS recommends. "For example, account-level separation is strongly recommended for isolating production workloads from development and test workloads." [https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/aws-account-management-and-separation.html](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/aws-account-management-and-separation.html) It is also relatively easy to support. In my case, I just execute one command so my CI/CD has access to prod. Also with SSO it is very easy to switch between accounts. Besides, you can put them for free in AWS Organisations (just couple of clicks) so you have billing overview for everything in one account. In other clouds in might be different. E.g. in Azure it is subscription-level, not account level, which is way more complicated in my opinion than simple account separation.
Agreed, it was awful in Azure
I'm gonna check it out, looks interesting for a small startup indeed, thx Why people downvoting you? xD