Cloud
Guardrails

Your Quick Reference to Cloud Best Practices

An open-source collection of cloud infrastructure best practices, for bootstrapping your own cloud platform.

Ready to contribute?

See best practices
Contribute on GitHub
Cloud Guardrails

If you're interested in contributing guidance, please start with these instructions.

Filters
Filters
Categories
Clear
Maturity Level
Clear
Functions
Clear
Cloud Provider
Clear
Clear all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Name
Categories
Maturity Level
Functions
CSPS
Author
Account Size - Use Small Accounts
High
AWS
Mark Andersen
Github Link
Summary
Aggressively use accounts as your permissions and blast radius boundary.
Applicable to
When designing your account structure and connectivity for all your cloud applications.
When to use/avoid
Read More
Public access block
Low
AWS, GCP
Travis McPeak
Github Link
Summary
Prevent public bucket exposure by enabling public access block.
Applicable to
Always applies
When to use/avoid
Read More
Rotate IAM access keys
AWS
Adam Cotenoff
Github Link
Summary
Rotate IAM access keys where IAM users are still required
Applicable to
To IAM users
When to use/avoid
Read More
Enable ELB / ALB / NLB logging
Medium
AWS
Mark Andersen
Github Link
Summary
Enable access logs for all load balancers.
Applicable to
When using ELB / ALB / NLB
When to use/avoid
Read More
Limit IAM users
Medium
AWS
Adam Cotenoff
Github Link
Summary
Limit the creation of new IAM users, and prefer using IAM roles when possible.
Applicable to
Always
When to use/avoid
Read More
Change window
Low
AWS, GCP, Azure
Travis McPeak
Github Link
Summary
Avoid time windows that are potentially sensitive (night/weekend/holidays) for making changes to critical resources.
Applicable to
Always
When to use/avoid
Read More
Centralize cloudtrail logging
Medium
AWS
Travis McPeak
Github Link
Summary
Configure CloudTrail to log to a bucket in a central account with specific prefixes based on the application or role sending them.
Applicable to
Always
When to use/avoid
Read More
DynamoDB Backup Configured
Medium
AWS
Will Bengtson
Github Link
Summary
Require DynamoDB to have a backup enabled for DR.
Applicable to
To all important data in DynamoDB
When to use/avoid
Read More
Protected accounts/regions
Medium
AWS, GCP, Azure
Travis McPeak
Github Link
Summary
Require approval of changes for accounts or regions with sensitive infrastructure.
Applicable to
Companies should have a multi-account and/or multi-region strategy before adopting this
When to use/avoid
Read More
Cloudfront verbs matter
AWS
Houston Hopkins
Github Link
Summary
Avoid Cloudfront AllowedMethods beyond GET HEAD and OPTIONS.
Applicable to
Possibly mitigated by Cloudfront domain validation
When to use/avoid
Read More
Account per region
High
AWS
Mark Andersen
Github Link
Summary
Use an account per region to avoid having a single account take down your application.
Applicable to
When you need extremely high availability application setup
When to use/avoid
Read More
Restrict OIDC Integrations
Medium
AWS
Will Bengtson
Github Link
Summary
Restrict OIDC integrations so you don't have backdoor or rogue access.
Applicable to
Always
When to use/avoid
Read More
Use a central identity account
Medium
AWS
Travis McPeak
Github Link
Summary
Centralize identities into a single account.
Applicable to
Companies that have a multi-account strategy should generally adopt this pattern
When to use/avoid
Read More
Naming convention for buckets
Low
AWS, GCP
Travis McPeak
Github Link
Summary
Enforce naming conventions for storage buckets with a unique prefix to avoid collisions.
Applicable to
Always
When to use/avoid
Read More
CloudWatch Log Group TTL
Medium
AWS
Will Bengtson
Github Link
Summary
Require TTL on CloudWatch logs
Applicable to
All scaled usage of CloudWatch
When to use/avoid
Read More
Multi-party approval (MPA) and multi-factor authentication (MFA) should be required for all changes to production
Medium
AWS
Adam Cotenoff
Github Link
Summary
Limiting engineers' access to production environments by managing infrastructure through Infrastructure as Code (IaC), enforcing identity-based changes, multi-party approval, MFA, and security linting helps ensure accountability, consistency, and reduces security risks.
Applicable to
Applies when a robust IaC CI/CD workflow is in place
When to use/avoid
Read More
Service owners do not need admin permissions into their cloud accounts
Medium
AWS
Adam Cotenoff
Github Link
Summary
Service owners don't need admin permissions, and should be given a minimal set of permissions as-necessary (e.g. read-only).
Applicable to
When service teams own their accounts
When to use/avoid
Read More
Set up one system to collect your resource inventory in all your accounts
Medium
AWS
Houston Hopkins
Github Link
Summary
Avoid throttling issues from multiple AWS describe calls by fostering solutions that collect data once, share it across tools, and store it in a centralized system like AWS Config or a data warehouse for efficient reporting.
Applicable to
Always
When to use/avoid
Read More
Account Segmentation
Low
AWS
Mark Andersen
Github Link
Summary
Applicable to
When designing your account structure and connectivity for all your cloud applications.
When to use/avoid
Read More
Cloud Guardrails

If you're interested in contributing guidance, please start with these instructions.

Filters
Filters
Categories
Clear
Maturity Level
Clear
Functions
Clear
Cloud Provider
Clear
Clear all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Name
AWS presigned URL vigilance
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Read More
Base Image Used and is only N days old
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Nick Siow
Read More
Deploy all resources in multiple AZ's (including the Load Balancers)
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Read More
Cloudfront OAI usage
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Houston Hopkins
Read More
Guardrails to prevent removal of security services/tooling
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Use SSO for user access
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
prefer CDN fronted private buckets for serving static assets
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Explicity chose what AWS services to allow
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Mark Andersen
Read More
Use SystemsManager if you need to SSH
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
Read More
Limit public IP addresses, centralize network access through ingress proxies
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Defend against Subdomain Takeover
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Read More
Approval for reconfiguration of sensitive resources
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Read More
EBS Volume Encryption at Account Level
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Use application-specific roles
Github Link
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Travis McPeak
Read More
Avoid relying on control plane AWS calls during an application/AWS issue
Github Link
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Mark Andersen
Read More
Protect against data deletion
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Mark Andersen
Read More
Use reserved concurrency limits on lambdas by default
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
Read More
External-facing services must implement protections against DoS - use a WAF
Github Link
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
IAM Service Users can only assume into a role which has actual permissions
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Uniform bucket-level access
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Read More
Cloud Tagging Standards
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Restrict what regions you run in
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Houston Hopkins
Read More
Retain X>90 days of cloudtrail logs in a searchable tool
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Travis McPeak
Read More
RDS Databases with automatic daily snapshot
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Will Bengtson
Read More
S3 bucket with versioning
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Approval for sensitive network access
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Read More
OIDC Integration for popular services
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Alternate account contacts
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Nick Siow
Read More
Test your backups by restoring them
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
Read More
S3 bucket with replication to another account
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Approval for public resource exposure
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Nick Siow
Read More
AWS IMDSv2 enforcement
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
S3 bucket with lifecycle
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Instances must be launched in Autoscaling Group
Github Link
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Breakglass SS{M,H}
Github Link
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Nick Siow
Read More
Infrastructure code must pass security linting checks to merge PRS to convergence branches
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Enable MFA on the Root Account
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
Read More
S3 bucket with replication to another account/region pair
Github Link
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Approval of for used cloud services by Security/Compliance/Governance
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Databackup account
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Read More
Account Size - Use Small Accounts
Github Link
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Mark Andersen
Read More
Public access block
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Read More
Rotate IAM access keys
Github Link
Categories
Maturity Level
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Enable ELB / ALB / NLB logging
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Mark Andersen
Read More
Limit IAM users
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Change window
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Read More
Centralize cloudtrail logging
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Travis McPeak
Read More
DynamoDB Backup Configured
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Protected accounts/regions
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Travis McPeak
Read More
Cloudfront verbs matter
Github Link
Categories
Maturity Level
Functionality
Cloud Provider
Author
Houston Hopkins
Read More
Account per region
Github Link
Categories
Maturity Level
High
Functionality
Cloud Provider
Author
Mark Andersen
Read More
Restrict OIDC Integrations
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Use a central identity account
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Travis McPeak
Read More
Naming convention for buckets
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Travis McPeak
Read More
CloudWatch Log Group TTL
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Multi-party approval (MPA) and multi-factor authentication (MFA) should be required for all changes to production
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Service owners do not need admin permissions into their cloud accounts
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Set up one system to collect your resource inventory in all your accounts
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Houston Hopkins
Read More
Account Segmentation
Github Link
Categories
Maturity Level
Low
Functionality
Cloud Provider
Author
Mark Andersen
Read More
Process
Data
Architecture
Configuration
Change Management
Compliance
Identity
Cost Management
Reliability
Security
Standards
Azure
GCP
AWS