Auditing an AWS Deployment

This is organized by AWS Console areas e.g. IAM, Billing & Cost Management, etc.



Identity and Access Management (IAM)

First review best practices for IAM. Keep these in mind when auditing. Make lists about what needs to be checked, and what needs to be changed, but DO NOT make changes until you are absolutely sure there are no unwanted side-effects. It’s easy to create downtime with the click of button!

Review of IAM Best Practices:

Remember that a user does not necessarily need to be a person. Applications can be users, but also consider using Roles instead.

Create and analyze a Credential Report:

If multiple users and/or applications are using the same access keys then neither the Access Advisor nor the Credential Report provide sufficient information. Check if CloudTrail is available. This may not be necessary if you are auditing code repositories as well, but for larger projects this may be the only comprehensive solution.

Make a list of users and their access keys. This is useful when analyzing application deployments and server environments (and code repositories - gasp) for credentials used.

Billing & Cost Management

Check the Cost Explorer. Enable it if necessary - it does not cost anything.