AWS Security Best Practices
Build Secure, Resilient, and Compliant Architectures on AWS
Security is foundational to everything in the cloud. AWS provides a wide range of built-in services, tools, and controls to help secure infrastructure, applications, and data. But you share responsibility for securing what you build on AWS.
This chapter explores best practices, encryption, IAM boundaries, logging, monitoring, and proactive threat detection using AWS-native tools.
𧱠AWS Shared Responsibility Model
π Who Secures What?
| Layer | AWS Responsibility | Your Responsibility |
|---|---|---|
| Hardware, Networking, Regions | β | β |
| Virtualization Layer | β | β |
| IAM, VPC, EC2, Lambda | β | β Configure and monitor access |
| S3 Buckets, RDS, Apps | β | β Secure data, patch apps |
π AWS secures the cloud; you secure whatβs in the cloud.
Core Pillars of Cloud Security
- Identity & Access Management
- Data Protection
- Network Security
- Monitoring & Logging
- Incident Detection & Response
- Compliance & Governance
Identity & Access Management (IAM)
- Follow least privilege: grant only whatβs necessary
- Use IAM roles for applications and services
- Avoid root user for daily use
- Enforce MFA for all accounts
- Create IAM permission boundaries for scoped access
- Monitor unused users/roles via IAM Access Analyzer
π Data Encryption: Protecting Data at Rest & In Transit
β At Rest:
| Service | Encryption Options |
|---|---|
| S3 | SSE-S3, SSE-KMS, SSE-C |
| EBS | Encrypted volumes |
| RDS | Enable encryption at launch |
| DynamoDB | Default KMS encryption |
In Transit:
- Use TLS (HTTPS) for web apps
- Enable encryption between Lambda + RDS
- Use SSL for S3 endpoints, API Gateway
π Always use KMS-managed keys (SSE-KMS) for better auditability and control.
AWS Key Management Service (KMS)
AWS KMS allows you to:
- Create and manage encryption keys (Customer Master Keys)
- Use KMS for encryption in S3, EBS, Lambda, RDS
- Rotate keys automatically
- Define Key Policies and grants for fine-grained control
β Sample Policy: Restrict KMS Key Use
{
"Effect": "Deny",
"Action": "kms:Encrypt",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
π§ Use alias names (e.g., alias/app-key) instead of hardcoded key IDs.
Monitoring & Threat Detection Tools
| Tool | Purpose |
|---|---|
| CloudTrail | Logs all API activity |
| CloudWatch Logs | System & app logs |
| AWS Config | Resource state tracking |
| VPC Flow Logs | Network packet visibility |
| Amazon GuardDuty | Threat detection & anomalies |
| AWS Inspector | Vulnerability scanner for EC2, Lambda |
Amazon GuardDuty
- Analyzes CloudTrail, DNS logs, VPC Flow Logs
- Detects: credential exfiltration, port scans, malware behavior
- Sends alerts via CloudWatch Events
β No agents needed. Just enable and monitor.
π§ͺ AWS Inspector (Now Inspector V2)
- Agent-based vulnerability scanner
- Scans:
- EC2 for CVEs
- Lambda for code risks
- ECR container images for package vulnerabilities
- Integrated with Security Hub
π Network Security β Control Ingress & Egress
β VPC Best Practices:
- Use private subnets for sensitive workloads
- Only expose public-facing apps to the internet
- Use NAT Gateways, not public IPs, for backend services
- Use VPC endpoints to connect privately to S3, DynamoDB
- Use security groups + NACLs to restrict traffic
π Shield & WAF
| Tool | Role |
|---|---|
| AWS Shield | DDoS protection (included by default) |
| AWS Shield Advanced | Enhanced detection, mitigation |
| AWS WAF | Protect web apps from common attacks (SQLi, XSS) |
π‘οΈ Shield integrates with CloudFront + Route 53. Use with WAF for full protection.
π Logging Best Practices
| Action | Tool |
|---|---|
| Record all API activity | CloudTrail |
| Send logs to central account | S3 log bucket + SSE |
| Detect unauthorized changes | AWS Config + Rules |
| Monitor login patterns | IAM Credential Reports |
| Detect sudden traffic spikes | CloudWatch Alarms |
Compliance & Governance
- Enable AWS Config conformance packs
- Use Service Control Policies (SCP) in AWS Organizations
- Set up tagging policies for cost governance
- Enable Access Analyzer to detect risky configurations
- Integrate with Security Hub to centralize alerts
β AWS complies with HIPAA, PCI-DSS, ISO 27001, FedRAMP, and many more.
Summary of Best Practices
| Category | Best Practice |
|---|---|
| IAM | Least privilege, use roles, MFA |
| Encryption | KMS, SSE-KMS, TLS for all endpoints |
| Network | Private subnets, VPC endpoints |
| Logging | CloudTrail, VPC logs, central S3 |
| Threat Detection | Enable GuardDuty, use Inspector |
| Compliance | Use Config + Security Hub |
| Vulnerability Mgmt | Regular patching, CVE scanning |
π‘ Explore More AWS Tools & Resources
Educational AI Tutor
Get instant AWS-related answers and explanations using AI.
Interview Question Generator
Generate AWS interview questions for practice and preparation.
AWS Practice Quiz
Test your AWS knowledge with timed quizzes and scoring.
AWS Interview Questions
Browse frequently asked AWS interview questions with answers.