# AWS Best Practices

1. Manage identity and access using the principles of least privilege
   1. Authenticate via single sign-on (SSO) & enable MFA within the SSO provider.
      * If not using SSO & MFA, set complex local passwords.
   2. Separate admin accounts from normal user accounts.
   3. Limit cluster creation rights/permissions.
   4. Store and use [Personal Access Tokens (PAT)](https://docs.e6data.com/product-documentation/~/revisions/W5MExJCuvHiG1ioEcgOy/security-and-trust/best-practices/broken-reference) securely.
   5. Cross-account IAM role configuration.
2. Protect data in-transit
   * Use AWS Private Link
3. Secure your EKS cluster & network
   1. Enable [Audit and Authenticator logging](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)
   2. Use enable [external ingress](https://docs.e6data.com/product-documentation/~/revisions/W5MExJCuvHiG1ioEcgOy/connectors-and-drivers/configure-cluster-ingress) to Clusters only for required users/IPs
   3. Use [EKS Authorized Networks](https://repost.aws/knowledge-center/eks-lock-api-access-IP-addresses) to provide EKS management API access only to e6data IPs.
   4. Implement network exfiltration protections.
      * Enable[ S3 access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html)
   5. Apply EKS service controls.
   6. Use VPC endpoint policies.
   7. Configure PrivateLink
4. Use EKS best practices when deploying workspaces
   * Add tags for cost monitoring