|
|
|
|
|
|
by mycentstoo
1201 days ago
|
|
|
A few suggestions: 1. Application / service to service secrets should be handled either by Vault or AWS Param Store. Both are good. AWS Param Store is easier but less feature rich. Ideally, your Vault instance would have the database engine which allows for automatic rotation and password management of databases like Postgres. 2. Developers should only have access to AWS through SSO using something like Okta. Okta has MFA through it's own authenticator app (not through SMS). 3. Password sharing should be handled with something like sops or if you need a more lightweight solution - Password Pusher. Sops works really well for hiding credentials within code that needs to be deployed. A team managed 1Password instance works well too. 4. Terraform should inherit a role that gives permissions to run against infrastructure. That role should be short lived and limited to running in a CI/CD environment (preferably on your own runner if that's possible). 5. You should have a separate AWS environment for running test projects. You can do this virtually (localstack) or physically through having a separate AWS account. I prefer the later since it's the real thing and implements all the APIs. Localstack can be decent though. If I had to setup an organization now, I would have a minimum of 3 AWS accounts. One for production infrastructure, one for staging environments and one for test environments. I would also add in AWS Budget Alerts and Cost Anomaly detection to prevent huge spend on it. |
|
|