AWS Best Practices Healthcheck

A best practices checklist to help you review your AWS accounts.

It’s a good investment to regularly review your AWS accounts — on at least a quarterly basis — and see if there are any gaps between what you are doing and what the best practices are.

AWS is a sophisticated, complex cloud and therefore the best practices are also sophisticated and complex, and in some cases unique to each situation. AWS cloud also doesn’t stand still: the pace of innovation at AWS means what might have been a best practice last year no longer applies. Healthchecks are a way to keep u!p!

The goal of this checklist is to give AWS administrators a simplified list of what to check with links to other useful resources should they need to go deeper. It’s recommended to automate this where possible, and tools are noted to help with this.

Sign up for a free healthcheck from Cloudsoft

Fill in the form and one of our experts will get in touch and see if we can help you:

  1. Understand your current AWS situation, if you have an immediate problem to fix or a specific goal to target.
  2. Take an application-centred look at your AWS setup and see what improvements we can recommend.
  3. Offer to provide a Well-architected Review, which is more in-depth and how our approved engineers apply the official AWS Well-architected program.

Tick this box for regular updates about Cloudsoft AWS offerings via email.

Security best practices

AWS secure inside the cloud and you are responsible for securing what runs on it.

Where security was once a reason people cited for NOT going to AWS, security is now so advanced and sophisticated in AWS that security is now a driver and a reason to go to AWS.

There are existing security frameworks and checklists for you to follow, and some of them are automated.

We recommend using the free and open source Prowler to automate your checks.

Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.

  • Identity and Access Management (22 checks) [group1]
  • Logging (9 checks) [group2]
  • Monitoring (14 checks) [group3]
  • Networking (4 checks) [group4]
  • CIS Level 1 [cislevel1]
  • CIS Level 2 [cislevel2]
  • Extras (39 checks) see Extras section [extras]
  • Forensics related group of checks [forensics-ready]
  • GDPR [gdpr] Read more here
  • HIPAA [hipaa] Read more here

It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA.

Cost-optimization best practices

It is very visible where money is spent in the cloud.

Unlike capex-driven non-cloud on-premises systems that make large payments once every few years, opex-driven cloud systems like AWS are different which means the best practices for cost management in the cloud is different.

A regular review of how you manage costs on AWS, and a check of your “cost mindset” is an important — non-optional — regular best practice. One person should be accountable for AWS costs and everyone is responsible for being cost-optimized.

The summary of the cost best practices are:

  1. Are you using all the cost-control features of AWS, including resource tagging to track who is spending what?
  2. Do you have an application-centred view of costs?
  3. Can you associate every dollar spent to individuals and/or teams?
  4. Do you have a regular budget cadence in effect with actions to keep downward pressure on costs?
  5. Are you architecting your applications with cost in mind? If you’ve lifted-and-shifted virtual machines into the cloud, are you bringing a Capex-mindset into an Opex-environment?

The AWS console has every-more-sophisticated cost tooling through Budgets and Cost Explorer, and there should be evidence if these are being used or not. Third part tools like Cloudcheckr, Cloudability and Cloudhealth offer additional capabilities.

This AWS paper Cost Management in the Cloud also goes into details on cost-oriented best practices.

Application Architecture Best Practices

Learn from the experience of others to get your application right first time.

To exploit the cloud you have to architect your applications for the cloud. Lifting-and-shifting a virtual machine from non-cloud on-premises to AWS does not mean you are immediately benefiting from all the resilience, performance and many other advantages of AWS.

One of the most common types of applications on AWS is web applications. These are ideal for AWS because they are usually highly decomposable meaning you can spread them across multiple Availability Zones for resilience and scale, and leverage higher-order AWS managed services like Relational Database Systems (RDS) so you don’t need to be a DBA anymore.

To really get the benefit from cloud, other best practices relate to resilience and making sure your application is exploiting AWS.


Check your AWS practices at least once a quarter against the evolving AWS best practices that are appropriate for your business, your applications, your needs.

Engage an Advanced AWS Consulting partner like Cloudsoft for additional and local support.