New AWS account - policies and procedures

Myself and @tanner had a small meeting to discuss how we’re going to do things on the new AWS account and we’ve come up with a few ideas:

  • Accounts require MFA to be enabled and password changes every 180 days.

  • We’ve made a “base” policy group on AWS that only allows access to core services (EC2, RDS, CloudFormation, full list here). This disables services we don’t plan on using and services that need a bit of guidance so they can be used correctly. This will be default for all new accounts and we’ll add more permissions as-needed.

  • We’re going with a multi-VPC setup to silo different environments. We were originally going to do a VPC per app but that will be difficult to manage. We’ll set up 3 VPCs for prod, staging and dev.

Anything else we should consider?