This repository contains 20 AWS Cloud Engineering Best Practices along with real-world code examples to help engineers build secure, scalable, and cost-effective solutions on AWS.
- IAM Security Best Practices
- S3 Storage Optimization
- Data Encryption
- Logging and Monitoring
- Secrets Management
- Lambda Optimization
- CloudWatch Logging
- Database Management
- IAM Least Privilege
- Auto Scaling
- Load Balancing
- EBS Encryption
- VPC Endpoints
- Athena Querying
- Threat Detection
- Infrastructure as Code
- DDoS Protection
- Event-Driven Automation
- Workflow Orchestration
- General AWS Best Practices
β Bad Practice: Storing AWS credentials in code
aws_access_key = "AKIA..."
aws_secret_key = "..."
s3 = boto3.client("s3", aws_access_key_id=aws_access_key, aws_secret_access_key=aws_secret_key)β Best Practice: Use IAM Roles for authentication
import boto3
s3 = boto3.client("s3") # Uses IAM Role automaticallyβ Best Practice: Move old data to Glacier
{
"Rules": [
{
"ID": "MoveToGlacier",
"Prefix": "logs/",
"Status": "Enabled",
"Transitions": [
{ "Days": 30, "StorageClass": "GLACIER" }
]
}
]
}aws s3api put-bucket-lifecycle-configuration --bucket my-bucket --lifecycle-configuration file://policy.jsonβ Best Practice: Enable AES-256 encryption by default
aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration file://encryption.json{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}β Best Practice: Enable CloudTrail logging
aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-trail-logs
aws cloudtrail start-logging --name MyTrailβ Best Practice: Store sensitive data securely
aws ssm put-parameter --name "/app/db-password" --value "securepassword" --type "SecureString"import boto3
ssm = boto3.client("ssm")
password = ssm.get_parameter(Name="/app/db-password", WithDecryption=True)["Parameter"]["Value"]β Best Practice: Adjust Lambda memory and timeout
aws lambda update-function-configuration --function-name MyLambda --memory-size 512 --timeout 10β Best Practice: Send Lambda logs to CloudWatch
import logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)
def lambda_handler(event, context):
logger.info("Processing event: %s", event)β Best Practice: Enable automatic backups
aws rds modify-db-instance --db-instance-identifier mydb --backup-retention-period 7β Best Practice: Restrict S3 bucket access
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}β Best Practice: Scale EC2 instances automatically
aws autoscaling create-auto-scaling-group --auto-scaling-group-name my-asg \
--launch-template LaunchTemplateName=my-template,Version=1 \
--min-size 2 --max-size 10 --desired-capacity 2β Follow these additional AWS best practices:
- Enable AWS Shield for DDoS protection
- Use AWS Organizations for centralized governance
- Implement AWS Config for compliance monitoring
- Regularly rotate IAM credentials
- Monitor cost usage with AWS Budgets
- Automate backups for EC2 & RDS
This repository follows an open-source MIT License. Feel free to contribute or modify the examples.
Have a new best practice to add? Feel free to submit a pull request!
π Maintained by: Partha Sarathi Kundu π§ Contact: LinkedIn π Website: kundu.xyz