I've been thinking about how terrifying it can be to accidentally perform actions in the wrong AWS account while using the CLI. I get that I'm definitely not the only one who feels this way, but I want to know the best practices or strategies others use to mitigate this fear. I've even considered using a separate machine just for updating the production account. Any suggestions?
5 Answers
Using tools like aws-vault helps manage your credentials securely, while also showing your profiles. Besides, utilizing continuous integration (CI) for deployments is a strong tactic to prevent human error. It can feel tedious, but being cautious is better than making a costly mistake!
You could use a terminal prompt that shows your current AWS account. For example, by modifying your terminal’s PS1 variable to display the account number being used, you'll always have a visual reminder of where you're executing commands. It can even change dynamically depending on the account you switch to!
This is actually a great tip! If you're using OhMyZsh, there's already a feature for this.
One way to handle this is to avoid having a default account set up in your AWS CLI. Instead, I use the '--profile ' option for every command. This forces me to specify the account each time, which reduces the risk of accidental commands in the wrong account.
Exactly! Being explicit about which profile you're using is key to staying safe.
Totally agree! If I don’t specify a profile, I want the command to fail instead of going to the wrong place.
I script my AWS commands to include checks for the environment before running anything. This way, I minimize the risk of mistakes. My scripts set up the right environment variables and ensure I'm hitting the correct account. I even suggest typing commands in an editor first to double-check before running them in the terminal.
This is smart! Having someone review commands before execution is a good practice.
Something like CloudShell is actually helpful for this issue. When using it, you always see the account name and role at the top, which makes it less likely you'll accidentally run commands in the wrong place. Also, make it a habit to run 'aws sts get-caller-identity' before any command to double-check your context.
I find CloudShell super handy too, especially for quick checks!
That's true! I've seen great results when I pushed for CI to be used for running prod commands.