Skip to content

AWS

Created: 2016-02-17 11:23:12 -0800 Modified: 2020-05-27 10:41:35 -0700

  • Set up an IAM user so that you’re not using the root account for anything.
  • Set up proper security policies here (MFA, delete root access keys, etc.)
  • Set a monthly budget here so that if your secret key is compromised, people don’t mine bit-coins and rack up hundreds of thousands of dollars on your account.
  • The Free Tier is split into two parts: a one-year-long trial (reference) and an always-free tier (reference). Be careful with some of the “always”-free-tier stuff, e.g. DeviceFarm gives you 1,000 minutes for free, but it doesn’t refresh monthly.
  • Simple explanation of each AWS offering in plain English: https://expeditedsecurity.com/aws-in-plain-english/
  • Free ebook by AWS themselves on how to get started with AWS here.
  • You can pin your frequently used consoles with the 📌 button (reference).
  • Use of the AWS API does not cost any money in and of itself. This means you’re not charged for the API call to query your running instances or create a new one, but you ARE charged for the instances that you create, even if they’re not running for long.
  • For controlling access, there are IAM roles and security groups, but they each do different things. An IAM role is for API access to AWS, e.g. if you want to use the API to make a brand new RDS instance. A security group controls network traffic, e.g. if you don’t want a particular VM or Lambda to be able to access the database.
  • An “ARN” is a “Amazon Resource Name” (reference).
  • Bandwidth: you are only charged for OUTGOING bandwidth. For example, if you do “git pull”, “npm install”, “wget”, “curl”, etc., you’re only being charged for the requests (which should be very small, e.g. ~100 bytes for an HTTP GET). The actual data you’re getting is likely many megabytes, but you’re not charged for that.
    • You are charged for requests that clients emit to your servers, so if they pull HTML files for example, you’re getting charged for that.
    • Internal traffic is 100% free no matter the direction, so if you do a “git pull” from one EC2 instance to a repo stored on another EC2 instance, then it’s free as long as they’re in the same region (since cross-region is over WAN).

If you ever run into problems where you can’t perform an operation that you think you should be able to perform, you should check if the computer you’re connecting from has time-drift issues. For example, I would run into this when I tried connecting from a VM on my machine after the host machine was in sleep mode for a while.

There’s a StackOverflow post on how to correct this here: http://stackoverflow.com/questions/27685288/aws-was-not-able-to-validate-the-provided-access-credentials