How to implement AWS Security Best Practices ?

Highlighting a few important points regarding AWS Security. Applying best security practices is the most important aspect of running things in cloud. We can apply NIST cybersecurity framework five functions i.e. Identify, Protect, Detect, Respond, Recover.

Always use Defense in Depth approach i.e. Protection at each layer.

Example →

  • Cloudfront with AWS WAF i.e. protection at edge.

Reason is simple that if there is a breach at any level then it will thwart these attempts.

Strong detection and response can circumvent security incidents.

Covering Below topics :-

IAM (Identity Access Management) :

  • Always enable MFA for root account user and store it in safe place OR you can shred it afterwards. Use cross account Organisation IAM role from Master billing account (Break Glass) to login to another account. Enable MFA to assume this IAM role and create alerts via Cloudtrail or centralised SIEM tool to security team.

In case of any security compromise:

  • Check Cloudtrail logs to see what kind of actions were performed via Access key ID and revoke IAM sessions and then rotate IAM keys.

S3 (Simple Storage Service):

  • Enable “Block Public Access” Settings at account level. If you need this setting to be enabled then use a dedicated account to host public buckets only.

ELB (Elastic Load Balancing):

  • Enable logging for public Load Balancers and push it to centralised S3 bucket. One of the method is to create your ELK stack to fetch all logs from S3 bucket using filebeat and SQS.

VPC and VPC Endpoints/Endpoints Services and PrivateLink:

  • VPC endpoints can be used from AWS via route tables (Gateway endpoint). Interface endpoints can be reached by AWS public services via privateLink and we don’t need Internet Gateway/NAT GW/Public-IP/DX to reach these services.

RDS (Relational Database Service):

  • While deploying RDS, make sure to use private subnets and don’t allow public access to RDS. You can access it over private subnets via DirectConnect from your organisation.

IAM database authentication provides the following benefits:

  • Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL).

AWS Security Services (Guardduty/VPC-Flowlogs/Cloudtrail/AWS-Config/Cloudwatch):

  • For observability/monitoring multiple accounts within AWS you should enable Guardduty/VPC-Flowlogs/Cloudtrail/AWS-Config/Cloudwatch. Best architecture would be to delegate master account and forward all logs to separate locked account S3 bucket. Use either ELK stack /SIEM tool to visualise/create dashboards and set alerts based on events.

Amazon Macie : Uses Machine Learning to discover sensitive data at S3.

AWS Inspector: Security assessment services for vulnerabilities etc.

AWS Detective: Analyze and Identify root cause of potential security issues/backtracking.

AWS Firewall Manager: Manage WAF rules, security groups, AWS Shield, Resolver DNS Firewall at scale i.e. across multiple VPC’s in your AWS organisation.

AWS KMS : Create/manage cryptographic keys. It’s managed service that provides encryption to all applications and integrated with AWS services. Logs all API call with cloudtrail for auditing/compliance.

AWS Security Hub with compliance overview. Mitigate all alerts based on compliance framework e.g. AWS CIS Benchmarking, as a starting point.

and few others… Check out below link:-

AWS Security Reference Architecture


  • For cross account private hosted zone DNS resolution, create VPC association authorisation in participant account, associate vpc with hosted zone and then delete vpc association authorisation in main account. Afterwards, you can start resolving private hosted zone records from one account to another.

AWS Config:

  • AWS Config will record all changes related to AWS resources. Any security group/ec2/rds will be recorded and you can see all timelines based on any security event.

Below example screenshots to gain insights about all resources/compliance within your AWS accounts:

EC2 :

  • Do not deploy Ec2 in public subnets. Use 3 tier architecture approach with LB in front with SSL termination and ec2 instances (web/app) + RDS in private subnets.

AWS Multi-Account Best Practices:

  • Enable centralised billing with AWS Organisation.
  • Implement control tower and migrate existing accounts. There are lot of benefits of using control tower including inbuilt security guardrails and out of the box support for Cloudtrail and Config logs in separate locked down account.

AWS does provide native security solutions with Organisation level dashboards. You need to pick tools as per Organisation requirements/multiple cloud posture management/UEBA (User and Entity Behaviour Analytics)/ Threat analysis using traffic logs/ Inventory / Security Frameworks and it’s good to have a single pane of view.

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇



Working as Cloud lead/Architect with security mindset

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store