Although you are responsible for your AWS and aMiSTACX environment, we wanted to put together an abbreviated post deployment checklist to help remind you of areas that are commonly overlooked for security and performance.
- AWS Security Groups : Restrict ports to IP Addresses that only require access. Common ports such as 22 and 8080 can be locked down. Port 80 can also be restricted when you make use of always HTTPS. If you are using RDS, you can also secure the communication between the EC2 and the RDS instance.
- DNS & WAF : We recommend Cloudflare for a WAF and for a CDN and DNS. With Cloudflare you can restrict and shape incoming traffic in many ways. With A51, you can make a Security Group template of Cloudflare Edge IPs, and apply them to each region and EC2.
- Cloudflare Edge Certificates : These help encrypt traffic from the CDN to your EC2.
- Change your Elastic IP : When you are all ready to go live into production, and you have DNS in place, you can easily swap out your Development IP. This helps block any data that may have been collected by bots during your development process.
- Local Permissions on the EC2 : Don’t ever use 777 except in Las Vegas. The amistacx compile script offers a good baseline permission and group foundation that you can tighten even further.
- Leverage the amistacx compile script : For Magento Open Source we have a very handy compile script.
- Leverage Windows RDP for a secure Development environment.
- Register and make use of A51 Monitoring & Control. It is an amazing platform specifically designed for performance and management. It’s included too!
- Read our common sense list. You might even have a laugh or two.
- Leave a review for aMiSTACX. In the A51 dashboard, there is an easy link in the details section of your EC2, or do it directly on AWS Marketplace. We love postive feedback!
- Cleanup : Post deployment or migration, make sure to remove any temp files, zip files, sql files. So many times we come across data on servers that really shouldn’t be there.
Run a quick search on your project. You will be amazed what you will find.
sudo find -name "*.zip"
- Consider removing Magento Dev tools from Production. In composer.json you have: require-dev and autoload-dev. Remove, update, and then re-compile.
sudo composer update --no-dev
- Switch Magento into Production mode for better speed and security.
- You may want to set RDS log_bin_trust_function_creators back to the default 0, if you are finished with imports.
- Enable Termination protection from AWS or A51. Takes only a few seconds, but can save you from a lot of grief. Many times we have observed professionals deleting there environment by accident. Termination protection can be applied for EC2s, CFTs, and RDS.
- Alerts & Reports : A51 can send you SMS alerts, reports to your desktop and to your email. It really is nice to get an alert when stuff is powered on and off.
- Automated backups : You can leverage A51 to set up automated backups of both EC2s and RDS. You can also use an auto-copy feature to make a backup copy in another zone.
- RBAC your Team : Leverage A51 and set up teams with RBAC. Then coupled with a secure Dev Environment on RDP, you can control who comes and goes at all time while keep your dev code secured.
- S3 Cleanup : Deployment CFT copies are created on S3, you may want to clean them up. Speaking of S3, you may also want to lock down access if you use any media modules.
- Default Passwords : Change all of the default passwords, and even the user names for production systems. You can also clear all the logs prior to production. A lot of times scripts print passwords in clear text to system logs.
- YouTube Channel : Check out some of our videos, they just may help you with configurations, or an area that you need some help with.
- 2FA Enable or WAF Rules : Enable Two Factor Authentication on Magento, or create a Cloudflare rule to restrict access to the Admin URL. You can also create rate-limiters to protect contact forms, and to help prevent bad bots. Same goes for WordPress, hide the URL using a plugin, and then use WAF to restrict access to the link.
- Use A51 Power Lock and Run Protect : It will prevent accidental power-downs of important systems. Happens all the time. A51 also has a sleep mode for RDS that prevents seven day cycle power-ups. [Can help reduce costs.] You can also power-lock an EC2 in a stopped state to prevent accident power-ups.
- Power Down Scheduler on A51 : Yes! You can automate power-ups and power-downs from A51.
- Questions? Ping our Bot. Humans monitor the bot all the time, and will even update answers within 24 to 48hrs should the bot not have the correct information. Much faster and more private than email, and if you need even more private help, we do have Wickr.
- Report Bugs! Please report bugs or errors, even if you solve them.
- Monitor AWS Billing : If you are new to AWS, set up a billing alert. AWS will bill you for almost anything.
- Leverage A51 to help prevent RDS auto-restart. If you are not using RDS, you can power it down to reduce costs, but AWS will start it up again in seven days. Desktop alerts and SMS will also alert you to a power-up event. You can also configure system reports to send you usage to your email.
- Have patience. Even the most knowledgable developers and admins get stuck and go through hoops and loops.
- Patch the OS! Post deployment, make a backup and patch the Ubuntu OS to get the latest updates for security.