Spring is here again, at least technically. I’m patiently waiting for the cherry blossoms to bloom again in Vancouver. It's a great start to having all the trees, grass and flowers restored to their vibrant state, making everything seem fresh again. Nature is really great at keeping cycles, and knowing how to keep things fresh.
Unfortunately, not all of us are as adept at following those long term cycles. So in keeping with the spirit of getting rid of the old and starting off fresh, here are a few AWS refresh tips for you to consider adding to annual spring cleaning list.
Check For Aging Account Credentials
Unused credentials can clutter things up and leave you open to unneeded risk. Take a look at your AWS Console in the IAM page and download a copy of your Credential Report.
Check the report to see if you have accounts that have not been used for a long time, really old passwords or keys that should be rotated, or users who don’t have MFA enabled still.
It’s a good idea to take a review of this every now and then to keep your AWS Account safer. Also if you use a central authentication system like Active Directory, it might be a good time to review that as well.
Polish Your Website Certificates
Take a look at your website’s SSL certificate to make sure you don’t need to remediate any configuration vulnerabilities, review your supported cipher suite protocols, and check when your certificate expires.
Just a reminder to consider using the AWS Certificate Manager (ACM) to automatically renew your certificates on your ELBs and CloudFront deployments. If you don’t have automatic rotation, set a calendar reminder in advance of expiration.
Keep Your DNS Domains Fresh
Check the DNS domain expiration for your sites. Domain registrars will often have automatic renewals, but if you try to renew with expired credit cards, you may find some challenges getting your domains re-activated quickly. Check your expiration date for the DNS domain, credit card expiration date, and set up a calendar reminder to verify the renewal is successful before the expiration.
Note: If you use Route 53 for domain registrations, see this page regarding automatic renewal tips.
Dust Off Your Recovery Runbooks
One of the most important tests your organization can have is to test recovery plans, unfortunately in my experience these are also often not tested. Ensuring backup jobs are executing is good, but until those backups are actually tested on new replacement infrastructure you won’t know how close you are to meeting your recovery objectives. The worst time to find out how well your recovery plans are working is during a real, unplanned outage. If you don’t frequently test your recovery, I urge you to create a calendar reminder to plan it or create a new ticket in your next sprint to schedule a recovery test.
In a busy world the above items can often get missed. I’m not advocating that you make these a manual once a year only process, but if you don’t have scheduled plans to review these items on an ongoing basis, hopefully this will be a useful reminder. If you want help taking this to the next level, please feel free to contact us for assistance automating these tests to give you extra peace of mind.
If you’re feeling in the spirit of renewal still, you may want to consider some other spring cleaning tips.