Key Takeaways
- IAM is the foundation of AWS security
- Least privilege for all roles and policies
- Enable CloudTrail in all regions
- S3 buckets are a top misconfiguration
Contents
1. AWS Security Fundamentals
AWS follows a shared responsibility model. AWS secures the cloud infrastructure; you secure what you put in it. Understanding this boundary is critical.
2. IAM Best Practices
IAM Security
# Root account protection:
- Enable MFA (hardware key preferred)
- Never use root for daily tasks
- Set up billing alerts
# User/Role best practices:
- Use roles instead of users where possible
- Enforce MFA for all users
- Use Permission Boundaries
- Enable IAM Access Analyzer
# Policy best practices:
- Least privilege
- Avoid wildcards (*) in actions/resources
- Use conditions (IP, time, MFA)
- Regular access reviews3. VPC Security
# VPC design:
- Separate subnets (public/private)
- Use NAT Gateway for private subnet internet access
- No direct internet for sensitive workloads
# Security Groups:
- Default deny inbound
- Allow only necessary ports
- Reference other SGs, not IP ranges where possible
# Network ACLs:
- Stateless, use as extra layer
- Deny known bad IPs
# VPC Flow Logs:
- Enable for troubleshooting and detection
- Send to CloudWatch or S34. S3 Bucket Security
# S3 hardening:
- Block public access (account-level setting)
- Enable default encryption (SSE-S3 or SSE-KMS)
- Enable versioning for important data
- Enable MFA delete for critical buckets
- Use bucket policies, not ACLs
- Enable access logging
- Use S3 Object Lock for compliance
# Check for public buckets:
aws s3api list-buckets --query 'Buckets[*].Name' | \
xargs -I {} aws s3api get-bucket-acl --bucket {}5. Monitoring & Logging
- CloudTrail: API activity logging (enable all regions)
- CloudWatch: Metrics and alarms
- VPC Flow Logs: Network traffic
- Config: Resource configuration history
- Access Analyzer: External access detection
6. AWS Security Services
| Service | Purpose |
|---|---|
| GuardDuty | Threat detection |
| Security Hub | Centralized findings |
| Inspector | Vulnerability scanning |
| Macie | Sensitive data discovery |
| WAF | Web application firewall |
| Shield | DDoS protection |
7. EC2 Security
- ✅ Use IMDSv2 (token-based metadata)
- ✅ Encrypt EBS volumes
- ✅ Use Systems Manager instead of SSH
- ✅ Keep AMIs updated
- ✅ Use instance roles, not access keys
8. AWS Security Checklist
- ☐ MFA on root and all IAM users
- ☐ CloudTrail enabled in all regions
- ☐ GuardDuty enabled
- ☐ S3 public access blocked
- ☐ Security Hub enabled
- ☐ VPC Flow Logs enabled
- ☐ Config rules active
- ☐ Unused credentials removed
FAQ
What's the most common AWS security mistake?
Public S3 buckets and overly permissive IAM policies. Use S3 Block Public Access at the account level and follow least privilege for all IAM entities.