Executive Summary
AWS security isn't optional—it's essential. Data breaches, misconfigured resources, and compliance failures make headlines regularly. The consequences range from financial losses to regulatory penalties to irreparable reputation damage.
The good news: AWS provides comprehensive security tools and features. The challenge: knowing what to implement and in what order. This guide provides a systematic checklist covering the five pillars of AWS security.
Why This Checklist Matters
- 82% of breaches involve the human element (Verizon DBIR 2023)
- Average cost of a data breach: $4.45 million (IBM Security 2023)
- 78% of organizations have experienced a cloud security incident in the past year
- 60% of breaches involve unpatched vulnerabilities
How to Use This Checklist
This checklist is organized by security domain and priority:
- Critical: Must implement immediately. Security fundamentals.
- High: Should implement within 30 days. Important protections.
- Medium: Implement within 90 days. Enhanced security.
- Low: Implement as resources allow. Defense in depth.
We recommend working through this checklist systematically, validating each control, and documenting your security posture.
Chapter 1: Identity and Access Management
IAM is the foundation of AWS security. A misconfigured IAM policy can expose your entire environment.
Root Account Security
The root account has unlimited access to all resources. Protect it rigorously.
Critical Controls
- Enable MFA on root account: Use a hardware MFA device, not virtual
- Do not create access keys for root: Root should only be used via console
- Secure root email: Use a distribution list, not individual email
- Create admin IAM user: All daily work should use IAM users, not root
Verification
# Check if root has MFA enabled
aws iam get-account-summary | grep AccountMFAEnabled
IAM Users and Groups
Critical Controls
- Require MFA for all users: Enforce via IAM policy or AWS Organizations SCP
- Use groups for permissions: Never attach policies directly to users
- Rotate access keys regularly: Every 90 days at minimum
- Remove unused credentials: Audit and delete inactive access keys
High Priority Controls
- Implement least privilege: Users should have only necessary permissions
- Use IAM Access Analyzer: Identify overly permissive policies
- Audit unused users: Remove accounts that haven't logged in
IAM Policy Best Practices
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::specific-bucket",
"arn:aws:s3:::specific-bucket/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Team": "data-team"
}
}
}
]
}
IAM Roles
Critical Controls
- Use roles instead of access keys: For applications and services
- Configure trust relationships carefully: Limit who can assume roles
- Use instance profiles for EC2: Never embed credentials in code
High Priority Controls
- Implement service-linked roles: For AWS service access
- Review cross-account access: Audit external principals in role trust policies
- Set maximum session duration: Limit how long roles can be assumed
Password Policy
Critical Controls
- Enforce strong passwords: Minimum 14 characters
- Require password expiration: Every 90 days
- Prevent password reuse: Remember at least 24 passwords
Chapter 2: Network Security
Network configuration controls the attack surface of your AWS environment.
VPC Security
Critical Controls
- Use private subnets: Place sensitive resources in private subnets
- Restrict public IP assignment: Only assign public IPs when necessary
- Remove default VPC: Create custom VPCs with appropriate design
High Priority Controls
- Enable VPC Flow Logs: Capture network traffic metadata
- Use NAT Gateways: For private subnet internet access
- Implement VPC Endpoints: Avoid internet traversal for AWS services
Security Groups
Critical Controls
- Deny all by default: Security groups should start with no rules
- No 0.0.0.0/0 on SSH/RDP: Restrict management access to known IPs
- Audit regularly: Review and remove unused security groups
Security Group Best Practices
# Find security groups with unrestricted access
aws ec2 describe-security-groups \
--filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query 'SecurityGroups[*].[GroupId,GroupName]'
Network ACLs
High Priority Controls
- Implement network ACLs: Additional layer beyond security groups
- Deny known bad actors: Block known malicious IP ranges
- Log denied traffic: For security analysis
Web Application Security
Critical Controls
- Enable AWS WAF: Protect web applications from common exploits
- Configure rate limiting: Prevent denial of service
- Block SQL injection: Enable WAF rules for common attacks
High Priority Controls
- Enable AWS Shield: DDoS protection (Standard is free)
- Use CloudFront: Add CDN layer with security benefits
- Configure HTTPS only: Redirect all HTTP to HTTPS
Chapter 3: Data Protection
Protecting data at rest and in transit is essential for confidentiality and compliance.
Encryption at Rest
Critical Controls
- Enable default EBS encryption: Account-level setting
- Enable S3 default encryption: Per-bucket setting
- Encrypt RDS instances: Enable at creation
High Priority Controls
- Use KMS customer managed keys: For audit trail and control
- Enable key rotation: Automatic annual rotation
- Restrict key access: Limit who can use encryption keys
Encryption in Transit
Critical Controls
- Enforce HTTPS: Via bucket policies, ALB settings
- Use TLS 1.2+: Disable older TLS versions
- Certificate management: Use ACM for automatic renewal
S3 HTTPS Enforcement
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceHTTPS",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
S3 Security
Critical Controls
- Block public access: Account and bucket level
- Enable versioning: For data recovery
- Configure access logging: For audit trail
High Priority Controls
- Disable ACLs: Use IAM policies only
- Enable Object Lock: For compliance data
- Review bucket policies: Check for overly permissive principals
Data Classification
Medium Priority Controls
- Implement data classification: Tag resources by sensitivity
- Use Macie for S3: Automatic PII detection
- Separate sensitive data: Use dedicated accounts for regulated data
Chapter 4: Logging and Monitoring
You can't detect what you don't monitor. Comprehensive logging is essential for security operations.
CloudTrail
Critical Controls
- Enable CloudTrail: In all regions
- Configure multi-region trail: Single trail captures all regions
- Enable log file validation: Detect tampering
- Store logs in separate account: Prevent deletion by attackers
High Priority Controls
- Enable data events: For S3 and Lambda activity
- Configure CloudWatch integration: For alerting
- Set retention policy: 1 year minimum recommended
CloudWatch
Critical Controls
- Create security alarms: Root login, unauthorized API calls
- Configure log retention: Don't let logs expire too quickly
- Centralize log groups: Use consistent naming
Essential CloudWatch Alarms
| Alarm | Metric Filter |
|---|---|
| Root account usage | { $.userIdentity.type = "Root" } |
| Console login without MFA | { $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed != "Yes" } |
| IAM policy changes | { ($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) } |
| Security group changes | { ($.eventName = AuthorizeSecurityGroupIngress) || ... } |
GuardDuty
Critical Controls
- Enable GuardDuty: In all regions and accounts
- Configure alert notifications: SNS topic to security team
- Review findings regularly: Triage and respond to alerts
High Priority Controls
- Enable malware protection: For EC2 and S3
- Configure trusted IP lists: Reduce false positives
- Integrate with Security Hub: Centralized security view
Security Hub
High Priority Controls
- Enable Security Hub: Aggregated security findings
- Enable standards: CIS, AWS Foundational, PCI DSS
- Configure findings export: To SIEM or ticketing system
Chapter 5: Compliance and Governance
Meeting compliance requirements requires systematic controls and documentation.
AWS Organizations
High Priority Controls
- Enable Organizations: Centralized account management
- Implement SCPs: Service control policies for guardrails
- Separate workloads: Use dedicated accounts for production
Example SCP: Deny Dangerous Actions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeaveOrganization",
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
},
{
"Sid": "DenyCloudTrailDisable",
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail"
],
"Resource": "*"
}
]
}
Config
High Priority Controls
- Enable Config: Resource configuration tracking
- Configure rules: Detect non-compliant resources
- Enable remediation: Auto-fix common issues
Essential Config Rules
- s3-bucket-public-read-prohibited
- ec2-instance-managed-by-systems-manager
- encrypted-volumes
- rds-storage-encrypted
- root-account-mfa-enabled
Compliance Frameworks
Framework-Specific Controls
| Framework | Key Requirements |
|---|---|
| SOC 2 | Access controls, monitoring, encryption |
| HIPAA | PHI protection, access logging, encryption |
| PCI DSS | Network segmentation, encryption, access controls |
| GDPR | Data protection, consent, right to erasure |
The Complete Checklist
Critical (Implement Immediately)
Identity and Access
- MFA on root account
- No root access keys
- MFA required for all users
- Admin IAM user created
Network
- Private subnets for sensitive resources
- No 0.0.0.0/0 on SSH/RDP
- Security groups audited
- AWS WAF enabled
Data
- Default encryption enabled (EBS, S3, RDS)
- HTTPS enforced
- S3 public access blocked
Monitoring
- CloudTrail enabled (all regions)
- GuardDuty enabled
- Root login alerts configured
High Priority (30 Days)
Identity and Access
- Least privilege policies
- Access key rotation policy
- IAM Access Analyzer enabled
- Service-linked roles used
Network
- VPC Flow Logs enabled
- VPC Endpoints configured
- Network ACLs implemented
Data
- KMS customer managed keys
- Key rotation enabled
- S3 versioning enabled
Monitoring
- CloudWatch alarms configured
- Security Hub enabled
- Log retention set
Governance
- Organizations enabled
- SCPs configured
- Config rules enabled
Medium Priority (90 Days)
- Password policy enforced
- NAT Gateways for private access
- Object Lock for compliance data
- Macie for PII detection
- Config remediation enabled
- Comprehensive Config rules
Low Priority (Ongoing)
- Penetration testing schedule
- Security awareness training
- Disaster recovery testing
- Third-party security audit
- Bug bounty program
Conclusion
Security is not a one-time project but an ongoing practice. This checklist provides a foundation, but effective security requires:
- Regular audits: Review controls quarterly at minimum
- Continuous monitoring: Detect and respond to threats in real-time
- Team training: Security awareness for all team members
- Incident response: Documented procedures for security events
Getting Started
- Assess current state: Work through this checklist, documenting gaps
- Prioritize by risk: Address critical items first
- Implement systematically: One control at a time, validated
- Monitor continuously: Detection is as important as prevention
Security and Cost Optimization
Security and cost optimization are complementary. Our scanner identifies both security misconfigurations and cost waste:
- Public S3 buckets (security risk AND compliance risk)
- Unused security groups (clutter AND audit complexity)
- Unencrypted volumes (security gap AND compliance violation)
About Sentasity
Sentasity helps growing companies secure and optimize their AWS environments. Our scanner covers security findings alongside cost optimization, giving you a complete picture of your AWS posture.
Start your free scan to assess your security and cost optimization opportunities.
Learn about Managed Billing for ongoing monitoring and support.
