- All instances should have IAM roles
- All non-ephemeral instances should have elastic IP addresses
- Ephemeral instances are instances in autoscaling groups and spot instances
- All buckets should have bucket logging enabled.
- All destinations for bucket logs should only store bucket logs.
- All destinations for bucket logs should have bucket lifecycles enabled
- Netflix ICE should be running.
- All instances should be running in VPC.
- All queues should have DLQ's. All DLQ's should have some sort of monitoring enabled which results in SNS alerts.
- All security groups should have specifically provisioned egress rules.
- All launchconfigs should have accessible amis. If an ami is taken private, that launch config must be updated
- All lambda function logs should have alerts monitoring for timeout that deliver to sns topics
- All CloudWatch logs should regularly be exported to s3. The cloudwatch interface falls over fast when searching a lot of streams.
- All CloudWatch logs should have a limited lifetime. This should be longer than the frequency with which all logs are exported to s3 so that no logs are lost.
- All VPC should have vpc flow logs enabled
- All VPC should have outbound security groups set up
- Tag all on-demand, reserverd, and scheduled instances with an expected price per hour.