7 things you should never do in AWS
There are things in everyone’s lives we should not do
Sometimes they can end up in being ashamed, sometimes in being hurt or sometimes you have to pay for what you did. Same is in Amazon AWS. There are things you should never do if you want to avoid stress, additional costs or failures. We pointed out 7 of them. Read them carefully and try not to repeat in your environment.
Unless you like surprises.
1. Never keep important data on Instance Store Volumes
An Instance Store is a temporary block-level storage which is located on disks that are physically attached to the host computer. Instance store volumes can be specified only when creating an instance and they cannot be detached and the attached to a different instance.
Data in an instance store volumes persist only during the lifetime of an instance. It can persist instance reboot, but all the data on an instance store is lost when the instance stops, terminates or the underlying disk fails. Unfortunately, there is no way to create a snapshot for such instance type. This is only temporary. No valuable data should be kept on Instance Store Volumes. Do not rely on them for valuable, long-term data.
2. Never take a snapshot of multiple EBS volumes running in a RAID array
RAID arrays are used in AWS to achieve a higher network throughput with better IOPS. They use two volumes as one, with combined throughput and IOPS of both volumes.
When taking a snapshot of an attached EBS volume in use, it excludes data cached by application or OS. It usually is not a problem for a single volume, but can be a problem for a RAID array. Restoring volumes from such snapshots can degrade the integrity of an array. To avoid this, you need to take an application consistent snapshot.
When creating a snapshot of EBS volumes configured as a RAID array it is critical that no I/O operations are being performed at the time when snapshots are created. To create a consistent application snapshot you need to stop the application from writing to disk and flush all caches to the disk. It can be done by freezing the filesystem, unmounting the RAID array or by shutting down the associated EC2 instance. Then you can take a snapshot of each volume separately.
3. Never remove your MFA device you use for your root account without disabling MFA first
Multi-Factor Authentication is a simple best practice to add an extra layer of protection to your AWS account. When enabled, a user signing into the AWS account will be prompted for a username, password and then authentication code from AWS MFA device. An MFA Device can be hardware, virtual or SMS to the mobile. Each type of device has to be activated with your AWS account, and each identity can be associated with only one MFA device.
It is critical not to remove an active MFA device or uninstall an MFA application without disabling MFA device first. The root account is the only way to enable or disable MFA device. If you are not able to login to a root account due to missing MFA device, the only way to restore access to your account is contacting support.
4. When importing an external VM to the AWS, never forget to enable RDP/SSH access to the machine
VM import/export feature allows you to import a Virtual Machine to create an EC2 instance. The only way to access the EC2 instance is to log into it. There is no console option. This means that you have to prepare your VM to be able to login to the machine after importing to EC2.
You shall never forget to enable RDP or SSH access to the machine unless you are not able to access your instance. You also have to ensure that there is no firewall, iptables or any other software on the machine, that can prevent you from accessing it.
5. Never forget to create a snapshot and then remove EBS Provisioned IOPS volume if you are not going to use it for a longer time
This point is to save your money. EBS Provisioned IOPS volumes are the highest performance SSD volumes designed for latency-sensitive transactional workloads. Whenever you hear a “highest performance,” you think “highest price” as well. You are right. Provisioned IOPS SSD volumes are more than three times more expensive than a standard General Purpose SSD volumes with the same IOPS. And now, the trick is that you are billed for the IOPS provisioned even if the volumes are detached and not in use. To save money, create snapshots of such volumes, delete unused provisioned IOPS volumes and restore when needed.
You can use the “Underutilized Amazon EBS Volumes” cost optimization check in Trusted Advisor to check your EBS configuration and be warned for underused volumes.
1000 GB provisioned IOPS estimate (3000 IOPS, baseline throughput 160 MB/s):
1000 GB General Purpose estimate (3000 IOPS, baseline throughput 160 MB/s):
6. Never forget to update AMIs you use to automatically launch your instances
Amazon AMIs you use to launch your EC2 instances are up to date at the time you do it. However, if you assign such AMIs to your auto scale launch configuration and keep using it for weeks or month, it will stop being up to date and can become vulnerable to many kinds of attacks.
To prevent from this, you have to keep your auto-scale launch configuration updated. Periodically update your launch configurations and update your auto scale groups.
7. Never keep with AWS Basic Support only
AWS Basic Support offers all AWS customer access to the Resource Center, Service Health Dashboard, Product FAQs, Discussion Forums and Support for Health Checks. All of it is free of charge. And that’s it. No other help in case you get into troubles. You are not even allowed to create a case for the technical support. If you require such support, which is of course not only for mission critical, production environments, you have to pay for it.
You can choose between few support plans according to your needs. They differ on technical support access, severities/response times and of course prices. For your mission critical application, you should consider either the Business or Enterprise Support Plan.
DO YOU NEED MORE?
It’s not over. I’ve prepared a checklist that you can download below. Use it with you AWS environment even today.