An Example Getting Started Guide: This document represents an example that can help you develop and publish your own getting started guide internally for cloud foundation team members that are onboarding to your AWS environment. You are free to copy this content into your own internal wiki or other system and modify it to meet your needs. As you progress on your cloud adoption journey, you will likely significantly expand your internal documentation to help communicate additional and increasingly sophisticated capabilities and associated best practices that are available to teams.
This document is intended to provide foundation team members with awareness of the typical day-to-day tasks and supporting methods, tools, and AWS services to help them manage and monitor your new AWS environment.
Since your team will need to experiment, develop, and perform early testing of changes to foundation resources and may need to reproduce issues as you support other teams using the environment, your team also needs a development environment.
Just like other builder teams, your foundation team has been allocated a team developer AWS account. The only differences between your team’s development AWS account and other teams are:
Use Team Development Access Permissions for Most of Your Work: When you’re needing to experiment, develop, and test foundation changes and/or reproduce user issues, you’re strongly encouraged to use the team development access permission and your team development AWS account as opposed to using your cloud administrative access permissions in any AWS account. You should only use your cloud administrative access permissions for cloud administrative work.
See Getting Started Guide for Builder Teams for information on using your team development environment.
Since AWS Control Tower is the primary means by which you’ll be creating AWS accounts, organizing them in OUs, and managing guardrails, it’s important that you become familiar with recurring tasks.
When you make changes to AWS account names and AWS Organizations OU names outside of AWS Control Tower, you’ll need to take steps in AWS Control Tower to ensure that it us up-to-date. See Managing Resources Outside of AWS Control Tower for details.
By following this guide, your foundation team has already established a foundation for security:
Consider starting with the following list:
While security is weaved within all AWS services and capabilities, a few explicit AWS Security, Identity, & Compliance services you should be aware of at this point in your journey are:
Amazon GuardDuty is our threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. To use GuardDuty, it is a service that needs to be enabled. We recommend enabling the service for the 30-day free trial and see the visibility and value it brings to your security practice.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced. All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge.
AWS Security Hub AWS Security Hub provides you with a comprehensive view of the security state of your AWS resources. Security Hub collects security data from across AWS accounts and services, and helps you analyze your security trends to identify and prioritize the security issues across your AWS environment.
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
Review Note: Provide guidance on developing and honing IAM skills: Provide pointers about how to learn more about effective use of IAM. For example, IAM Policy Simulator, testing policy changes before promoting them, IaC code techniques, etc. Reference how AWS Access Analyzer can be used to help identify the resources in organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
Although some of the detective guardrails deployed through AWS Control Tower help continuously monitor and audit aspects of your AWS environment, it’s a best practice to periodically audit your security configuration to make sure that it meets your current business needs. See AWS Security Audit Guidelines for best practices.
As resources are deployed in your account, managing the growing inventory of resources and ensuring that they are deployed consistently and maintained consistently can become a challenge. AWS Config is a Management and Governance tool available to help you with:
More specifically, you can do the following with AWS Config:
Once you have resources deployed in your account, consider Getting Started with AWS Config.
AWS Cost Management tools give you and your team visibility into AWS account costs and usage. Each account you create will have access to view their individual account costs and usage. The management account can see the total organizational cost and usage rollup.
Sign in to the AWS Management Console and open the Billing and Cost Management console.
There are a range of AWS Cost Management tools to help you access, organize, understand, control, and optimize your costs. You start to access detailed information about your AWS costs and usage using the built-in dashboard in the Billing and Management area of the AWS Management Console.
To see more detailed cost information for the entire organization of AWS accounts and to enable builder teams to access cost reporting within their own AWS accounts, you should enable the AWS Cost Explorer:
Management console associated with the Billing role.Billing service.Cost Explorer.Enable Cost Explorer.Enable Amazon EC2 Right Sizing Recommendations so that the foundation and workload builder teams can gain insight into recommendations for downsizing and terminating EC2 instances.
For more proactive management of your AWS costs, set up budgets within the Billing and Management console. Budgets allow you to:
Take a few minutes and create an initial basic budget by following this guide Create your first Budget.