Cloud
Guardrails

Your Quick Reference to Cloud Best Practices

An open-source collection of cloud infrastructure best practices, for bootstrapping your own cloud platform.

Ready to contribute?

Cloud Guardrails

If you're interested in contributing guidance, please start with these instructions.

Filters
Filters
Categories
Clear
Maturity Level
Clear
Functions
Clear
Cloud Provider
Clear
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
AWS presigned URL vigilance
Medium
AWS
Houston Hopkins
Summary
Prevent presigned URLs for all of your resources, not just S3
Applicable to
Unless there are active measures taken in AWS SCP, Resource policies, or IAM policies
When to use/avoid
Base Image Used and is only N days old
Medium
AWS
Nick Siow
Summary
Base images can provide a wealth of security benefits, but are also point-in-time snapshots that become stale. Ensure that the base image used for any new image creation is sufficiently fresh.
Applicable to
Always
When to use/avoid
Deploy all resources in multiple AZ's (including the Load Balancers)
Medium
AWS
Houston Hopkins
Summary
Deploy all resources to multiple availability zones to facilitative seamless failover.
Applicable to
Always
When to use/avoid
Cloudfront OAI usage
Low
AWS
Houston Hopkins
Summary
Utilize Cloudfront OAI with origin type of s3/ Allow ONLY action s3:GetObject to the specific OAI in the bucket policy.
Applicable to
Anyone using Cloudfront with S3 as an origin.
When to use/avoid
Guardrails to prevent removal of security services/tooling
Medium
AWS
Adam Cotenoff
Summary
Set up baseline security services by default (logging, monitoring, IAM, etc.) and prevent them from being removed.
Applicable to
This best practice applies particularly when using AWS Organizations to centrally manage multiple AWS accounts as a single entity.
When to use/avoid
Use SSO for user access
Medium
AWS
Adam Cotenoff
Summary
Use single-sign on for user access to simplify the login process and reduce the number of credentials that need to be managed.
Applicable to
Always
When to use/avoid
prefer CDN fronted private buckets for serving static assets
Low
AWS
Adam Cotenoff
Summary
To securely serve static assets over the internet, use a private bucket with a Content Delivery Network (CDN) front-end, instead of making the bucket itself public. This provides several advantages over using a public bucket to serve static assets.
Applicable to
This only applies when you want to use an S3 bucket to serve static content.
When to use/avoid
Explicity chose what AWS services to allow
Medium
AWS
Mark Andersen
Summary
Limit via an allowlist what AWS services you want your teams to use in that account.
Applicable to
Account setup
When to use/avoid
Use SystemsManager if you need to SSH
Low
AWS
Mark Andersen
Summary
Use SystemsManager for SSH, as it is integrated into IAM for access.
Applicable to
For support
When to use/avoid
Limit public IP addresses, centralize network access through ingress proxies
Medium
AWS
Adam Cotenoff
Summary
The use of public IP address by services running in the cloud should be restricted.
Applicable to
Always
When to use/avoid
Defend against Subdomain Takeover
Medium
AWS
Houston Hopkins
Summary
Tightly couple any processes that involve Route53 to their Alias resources to avoid subdomain takeover.
Applicable to
When you point DNS records to cloud infrastructure
When to use/avoid
Approval for reconfiguration of sensitive resources
Low
AWS, GCP, Azure
Travis McPeak
Summary
Examine configuration changes for all resources with production impact.
Applicable to
Always
When to use/avoid
EBS Volume Encryption at Account Level
Low
AWS
Will Bengtson
Summary
Enforce volume encryption at the account level by default.
Applicable to
Compliance driven
When to use/avoid
Use application-specific roles
High
AWS
Travis McPeak
Summary
Use application-specific roles wherever possible, enabling least-privilege to your roles versus shared roles with a superset of permissions.
Applicable to
Setting this up requires some investment, the practice is probably more relevant for larger companies that have the basics addressed.
When to use/avoid
Avoid relying on control plane AWS calls during an application/AWS issue
High
AWS
Mark Andersen
Summary
Control planes prioritize consistency over availability when issues occur. Setup Route53 so failover is already setup using heath checks.
Applicable to
Application Availability
When to use/avoid
Protect against data deletion
Medium
AWS
Mark Andersen
Summary
Block delete calls on persistent data resources by default on IAM roles to avoid accidentally deleting all your data.
Applicable to
Always
When to use/avoid
Use reserved concurrency limits on lambdas by default
Low
AWS
Mark Andersen
Summary
Lambdas suffer from the noisy neighbor problem if you don't set a reserve concurrency value
Applicable to
When using lambda
When to use/avoid
External-facing services must implement protections against DoS - use a WAF
High
AWS
Adam Cotenoff
Summary
External-facing services should implement protections against DoS through a WAF, to ensure availability of your service(s)
Applicable to
Always
When to use/avoid
IAM Service Users can only assume into a role which has actual permissions
Medium
AWS
Adam Cotenoff
Summary
Creating IAM roles that have the necessary permissions, and then assigning those roles to the IAM users who require access to the resources allows you to centralize the management of permissions.
Applicable to
Always
When to use/avoid
Uniform bucket-level access
Low
AWS
Travis McPeak
Summary
Individual object permissions can create surprising ACL issues and should be avoided in favor of explicit policies on buckets.
Applicable to
Always
When to use/avoid
Cloud Guardrails

If you're interested in contributing guidance, please start with these instructions.

Filters
Filters
Categories
Clear
Maturity Level
Clear
Functions
Clear
Cloud Provider
Clear
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Name
AWS presigned URL vigilance
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Base Image Used and is only N days old
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Nick Siow
Deploy all resources in multiple AZ's (including the Load Balancers)
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Cloudfront OAI usage
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Houston Hopkins
Guardrails to prevent removal of security services/tooling
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Use SSO for user access
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
prefer CDN fronted private buckets for serving static assets
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Adam Cotenoff
Explicity chose what AWS services to allow
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Mark Andersen
Use SystemsManager if you need to SSH
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
Limit public IP addresses, centralize network access through ingress proxies
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Defend against Subdomain Takeover
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Approval for reconfiguration of sensitive resources
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
EBS Volume Encryption at Account Level
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Will Bengtson
Use application-specific roles
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Travis McPeak
Avoid relying on control plane AWS calls during an application/AWS issue
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Mark Andersen
Protect against data deletion
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Mark Andersen
Use reserved concurrency limits on lambdas by default
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
External-facing services must implement protections against DoS - use a WAF
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Adam Cotenoff
IAM Service Users can only assume into a role which has actual permissions
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Uniform bucket-level access
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Cloud Tagging Standards
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Restrict what regions you run in
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Houston Hopkins
Retain X>90 days of cloudtrail logs in a searchable tool
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Travis McPeak
RDS Databases with automatic daily snapshot
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Will Bengtson
S3 bucket with versioning
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Will Bengtson
Approval for sensitive network access
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
OIDC Integration for popular services
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Alternate account contacts
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Nick Siow
Test your backups by restoring them
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
S3 bucket with replication to another account
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Approval for public resource exposure
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Nick Siow
AWS IMDSv2 enforcement
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
S3 bucket with lifecycle
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Instances must be launched in Autoscaling Group
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Will Bengtson
Breakglass SS{M,H}
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Nick Siow
Infrastructure code must pass security linting checks to merge PRS to convergence branches
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Enable MFA on the Root Account
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
S3 bucket with replication to another account/region pair
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Will Bengtson
Approval of for used cloud services by Security/Compliance/Governance
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Databackup account
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Account Size - Use Small Accounts
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Mark Andersen
Public access block
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Rotate IAM access keys
Categories
Maturity Level
Functionality
Cloud Provider
Author
Adam Cotenoff
Enable ELB / ALB / NLB logging
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Mark Andersen
Limit IAM users
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Change window
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Centralize cloudtrail logging
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Travis McPeak
DynamoDB Backup Configured
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Protected accounts/regions
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Travis McPeak
Cloudfront verbs matter
Categories
Maturity Level
Functionality
Cloud Provider
Author
Houston Hopkins
Account per region
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Mark Andersen
Restrict OIDC Integrations
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Use a central identity account
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Travis McPeak
Naming convention for buckets
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
CloudWatch Log Group TTL
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Multi-party approval (MPA) and multi-factor authentication (MFA) should be required for all changes to production
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Service owners do not need admin permissions into their cloud accounts
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Set up one system to collect your resource inventory in all your accounts
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Account Segmentation
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
Process
Data
Architecture
Configuration
Change Management
Compliance
Identity
Cost Management
Reliability
Security
Standards
Azure
GCP
AWS