AWS security is a shared responsibility. You are responsible for security "in" the cloud, while AWS secures the cloud itself.
S3 Bucket Security
# Block public access (Terraform)
resource "aws_s3_bucket_public_access_block" "secure" {
bucket = aws_s3_bucket.main.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Enable encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "secure" {
bucket = aws_s3_bucket.main.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}IAM Best Practices
- Never use root account for daily tasks
- Enable MFA on all users (especially root)
- Use roles instead of long-lived access keys
- Apply least privilege (start with no permissions)
- Rotate access keys every 90 days
VPC Security
# Security Group - Web Server
resource "aws_security_group" "web" {
name = "web-sg"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}Quick Wins
- Enable CloudTrail (all regions)
- Enable GuardDuty
- Use AWS Config for compliance
- Enable VPC Flow Logs
December 2024