What are the first AWS security measures I should enable in a new account?

Start by securing the root account with MFA, creating individual IAM users or using AWS Identity Center, applying least-privilege policies, and enabling CloudTrail in all regions. From there, lock down security groups, configure VPC subnets, and turn on default encryption for S3 buckets and EBS volumes.

How often should I review and update my AWS security configuration?

Review key security controls at least quarterly and after any major architectural change. Regularly audit IAM permissions, public-facing resources, encryption settings, logging coverage, and GuardDuty findings, and update your incident response runbooks based on lessons learned from drills and real events.

Do I really need both CloudTrail and CloudWatch?

Yes. CloudTrail logs who did what, while CloudWatch shows how resources behave (metrics, logs, alarms). Together they give you much better visibility and incident detection.

AWS Security Best Practices: A Hands-On Guide to a Secure Cloud

Updated on November 28, 2025 7 minutes read

Cloud engineer reviewing AWS security dashboards and VPC network diagrams on dual monitors in a modern office workspace.

Security is a foundational pillar of any cloud-based solution, and Amazon Web Services (AWS) offers a broad range of tools and services to help keep your infrastructure secure. However, understanding how to put these tools and services together in a secure, scalable, and sustainable way can be challenging.

Whether you’re a cloud newcomer or a seasoned engineer looking to reinforce your security posture, this guide will help you make AWS security a cornerstone of your cloud journey.

1. Understanding AWS Security: Real-World Pitfalls

Why should you care about AWS security?

Consider a real-world example: in 2019, an unsecured AWS S3 bucket led to the exposure of highly sensitive customer data from a major U.S. bank. Attackers gained access to sensitive information because the bucket’s permissions allowed public read access. This could have been prevented by following basic security measures such as restricting bucket permissions and enabling encryption.

By studying these pitfalls, you can see that security oversights, even small ones, can have big consequences.

2. Embrace the AWS Shared Responsibility Model

One of the first concepts to internalize is the Shared Responsibility Model. In AWS:

AWS is responsible for the security of the cloud (physical servers, networking, and underlying infrastructure). You, the customer, are responsible for security in the cloud (operating systems, data, access management, and configuration).

Responsibility	AWS	Customer
Infrastructure	Physical servers, network hardware, and hypervisors	Not applicable (AWS fully manages)
Network & Host Patches	Security of the underlying host OS, patching infrastructure	Operating system and application patches inside your instances
Data Encryption	Availability of encryption services (KMS, S3 encryption)	Enabling and configuring encryption for your data
Access Management	Management of AWS root accounts and IAM service features	Creating and enforcing secure IAM policies, MFA, user accounts

AWS provides a secure platform, but you must configure and operate that platform correctly to stay protected.

3. Identity & Access Management (IAM): Your First Line of Defense

3.1 Use Separate IAM Users (No Root Key)

Root account: Do not use the root account for day-to-day tasks. Create individual IAM users or use AWS Identity Center (formerly AWS SSO) for granular access.

Multi-factor authentication (MFA): Always enable MFA on the root account and for all privileged IAM users to add an extra layer of protection.

3.2 Principle of Least Privilege

Fine-grained permissions: Grant each user, group, or role only the permissions necessary to perform their tasks. Avoid using overly broad managed policies like AdministratorAccess.

Role-based access: Use IAM roles for services (for example, EC2 or Lambda) so that you don’t store credentials directly within your code or application servers.

Hands-on: Create a new IAM user with limited permissions in your AWS account:

Go to the AWS IAM console.
Choose Users > Add user.
Assign only the necessary managed policies or create a custom policy with specific permissions.
Enable MFA.

Check your progress:

Did you remove access keys from the root account?
Did you enable MFA for every user with console access?

4. Network Security: Building a Resilient Perimeter

4.1 Use Amazon Virtual Private Cloud (VPC)

Segregate your resources: Create separate subnets for different layers (for example, public vs. private). This ensures only necessary services are exposed to the public internet.
NACLs vs. security groups: Use Network Access Control Lists (NACLs) for stateless filtering at the subnet level and security groups for stateful filtering at the instance or resource level.

4.2 Implement a Web Application Firewall (WAF)

Prevent common exploits: AWS WAF helps filter traffic and block malicious requests such as SQL injection or cross-site scripting attempts. Shield for DDoS: Coupling AWS WAF with AWS Shield (standard or advanced) helps protect your infrastructure against distributed denial-of-service (DDoS) attacks.

5. Data Protection: Encryption Everywhere

5.1 Encrypt Data at Rest

Amazon S3: Enable default encryption on buckets to ensure that all new objects are encrypted by default.

Amazon EBS: Encrypt EBS volumes using customer-managed keys (CMKs) through AWS Key Management Service (KMS).

Example: Using Terraform to create a secure S3 bucket:

resource "aws_s3_bucket" "secure_logs" {
  bucket = "my-secure-logs"
  acl    = "private"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

resource "aws_s3_bucket_policy" "secure_logs_policy" {
  bucket = aws_s3_bucket.secure_logs.id
  policy = data.aws_iam_policy_document.secure_logs_policy.json
}

Use HTTPS/TLS: Terminate SSL/TLS at Elastic Load Balancers (ELBs) or CloudFront distributions to secure data in transit.

API calls: Ensure AWS CLI and SDK requests are made over HTTPS by default.

6. Monitoring & Logging: Awareness Is Key

6.1 AWS CloudTrail

Track every API call: CloudTrail captures AWS account activity so you can trace unexpected API calls back to specific users or roles.

Multi-region logging: Enable CloudTrail in all regions to avoid missing activity happening outside your primary region.

6.2 Amazon CloudWatch

Metrics and alarms: Monitor resource utilization (CPU, memory, disk I/O) and create alarms for unusual spikes, such as unexpected increases in network traffic.

Logs: Centralize application logs, container logs, and system logs for easier analysis.

6.3 AWS Config

Configuration tracking: AWS Config records configuration changes to AWS resources. Create config rules to alert you if certain configurations (such as public S3 buckets) deviate from policy.

Hands-on:

Enable CloudTrail in your AWS account (if not already enabled).
Go to CloudWatch > Alarms and create a new alarm that notifies you via Amazon SNS when a threshold is breached (for example, CPU usage above 80% for 5 minutes).

7. Threat Detection & Incident Response

7.1 AWS GuardDuty

Intelligent threat detection: GuardDuty uses machine learning to identify potentially malicious or unauthorized behavior in your AWS environment.

Configuration: Enable GuardDuty in all regions, and configure email or chat notifications for critical findings.

7.2 Automated Responses with EventBridge and Lambda

Real-time security: Use EventBridge to trigger a Lambda function when a specific security event occurs (for example, a policy change that makes an S3 bucket public).

Example: An EventBridge rule detects a GuardDuty finding indicating possible IAM user credential compromise and automatically disables the corresponding IAM credentials.

7.3 Incident Response Drills

Run simulations: Periodically run table-top exercises or chaos engineering experiments to practice your team’s incident response plan.

Document and automate: Keep a runbook for security incidents, detailing escalation points and procedures, and automate common actions where possible.

8. Advanced Security Techniques

8.1 Zero-Trust Approach

Identity-based policies: Focus on verifying identity at every step. Even inside your VPC, only trust traffic or requests that present the correct IAM roles or tokens.

Micro-segmentation: Split your applications into smaller sections and apply strict security rules, minimizing the blast radius of a breach.

8.2 Secrets Management

AWS Secrets Manager: Automatically rotate database credentials and API keys without exposing them in your codebase.

AWS Systems Manager Parameter Store: A good option for storing less sensitive parameters, such as configuration strings or application environment variables.

8.3 Container & Serverless Security

AWS Fargate: Offloads container infrastructure management to AWS, reducing the attack surface you manage directly.

Lambda security: Use minimal function privileges (least privilege principle) and ephemeral storage. Ensure environment variables do not contain secrets in plain text.

9. Compliance & Governance

9.1 Policy as Code

Infrastructure as code: Integrate AWS CloudFormation or Terraform with policy checks for compliance before changes are deployed.

AWS Config rules: Write your own rules or use predefined templates to continuously validate AWS resource configurations.

9.2 Align with Common Frameworks

PCI-DSS, HIPAA, GDPR: Identify the compliance frameworks relevant to your business. Use AWS Artifact to retrieve compliance reports and documentation.

AWS Organizations: For multi-account setups, use AWS Organizations to enforce service control policies (SCPs) across child accounts, ensuring consistent guardrails.

10. Practical Exercises & Self-Check

Quick Quiz

Which service should you enable to log all API calls made to your AWS account?
A. AWS Config
B. AWS CloudTrail
C. Amazon CloudWatch
D. AWS Shield
What is the primary purpose of AWS IAM roles for EC2 instances?
A. Prevent EC2 from accessing the internet
B. Securely grant temporary access to AWS services without storing credentials
C. Schedule instance maintenance
D. Lower EC2 billing costs
True or false: Enabling AWS GuardDuty automatically protects your resources without any configuration.

Answers at the end of the section.

Hands-on Checkpoints

IAM: Did you enable MFA for the root user and your IAM users?
VPC and security groups: Are your security groups locked down to just the necessary ports?
Encryption: Is default encryption turned on for critical S3 buckets and EBS volumes?
Monitoring: Do you have a CloudWatch alarm for abnormal spikes in traffic or CPU usage?
GuardDuty: Have you set up real-time threat notifications in all regions?

Answers to quiz:

B
B
False

11. Final Thoughts and Next Steps

You have just walked through core pillars of AWS security, from rigorous identity management to robust monitoring and incident response. By structuring your environment according to best practices, you can dramatically reduce the risk of breaches and misconfigurations.