OculusCyber Logo

OculusCyber

Home

Browse Topics

Security Best Practices

AI Security Frameworks

Threat Intelligence

Compliance

Security Guidelines for 50 AWS resources

By oculus

October 31, 2025

1) Amazon S3 (Simple Storage Service)

How to Secure:Use least privilege IAM policies for bucket access, enable block public access, and enforce encryption at rest (SSE-S3 or SSE-KMS) and in transit (HTTPS).

Important Security Measures:

  • Enable S3 Block Public Access at account and bucket level.
  • Use AWS KMS for managed key encryption (SSE-KMS).
  • Enforce bucket policies and IAM conditions (like aws:SourceVpce, aws:SourceIp).
  • Enable Object Lock and Versioning for ransomware and deletion protection.
  • Use Access Analyzer for S3 to find unintended public access.

Prevention Controls:

  • Enable service control policies (SCPs) to block public buckets across org.
  • Enforce encryption policies with AWS Config rules (s3-bucket-server-side-encryption-enabled).
  • Use CloudFormation guardrails or Service Catalog constraints to enforce best practices.

Detection Controls:

  • Enable CloudTrail Data Events for object-level access.
  • Use Amazon GuardDuty S3 Protection to detect suspicious access (e.g., anomaly, exfiltration).
  • Use Security Hub + Config to monitor compliance (CIS AWS Foundations Benchmark).

Remediation Controls:

  • Auto-remediate public access via AWS Config Remediation Lambda.
  • Rotate or revoke IAM credentials granting access to open buckets.
  • Apply S3 Block Public Access and restrict ACLs via automated workflow.

2) Amazon EC2

How to Secure: Harden AMIs, patch regularly, restrict network paths.Important: Least-privilege instance profiles; disable password SSH; use IMDSv2.Prevention: Security Groups/NACLs default-deny; golden AMI pipeline; EBS encryption by default.Detection: GuardDuty EC2 findings; CloudWatch for login/auth anomalies; SSM inventory/compliance.Remediation: SSM Patch Manager; quarantine SG; automated isolation + snapshot via Lambda.

3) AWS IAM

How to Secure: Enforce least privilege and short-lived credentials.Important: MFA for human principals; deny-by-default SCPs; permissions boundaries.Prevention: Identity Center for SSO; access analyzer; strong password policy.Detection: CloudTrail on IAM changes; Access Advisor for unused perms.Remediation: Remove unused policies; rotate keys; apply boundaries/SCPs to contain blast radius.

4) Amazon VPC

How to Secure: Segment networks; use private subnets and egress controls.Important: Route control; VPC endpoints with policies; no public IGW where not needed.Prevention: Network Firewall, NACLs, SGs layered; centralized egress via NAT + TLS inspection.Detection: VPC Flow Logs; GuardDuty VPC findings.Remediation: Block via Network ACL/Firewall; fix routes; tighten endpoint policies.

5) Amazon RDS

How to Secure: Private subnets, encryption, restricted connectivity.Important: IAM auth when supported; rotation via Secrets Manager; minor version auto-upgrade.Prevention: Parameter groups to disable dangerous features; SG allowlist only.Detection: Enhanced monitoring; CloudWatch for auth failures; GuardDuty RDS findings.Remediation: Rotate creds; snapshot + point-in-time restore; block offending SGs.

6) AWS Lambda

How to Secure: Minimize execution role perms; isolate VPC access.Important: Environment variable encryption; code signing; least-privilege to resources.Prevention: Use layers vetted; concurrency limits; deny wildcard actions.Detection: CloudTrail Invoke/Update; CloudWatch metrics/logs anomalies.Remediation: Revoke role perms; roll back version; quarantine VPC SG.

7) Amazon EKS

How to Secure: Lock down cluster API, node roles, and pod security.Important: Use IRSA; OPA/Gatekeeper or Kyverno; private endpoint where possible.Prevention: Pod Security Standards; restrict hostPath, privileged; ECR scanning.Detection: GuardDuty EKS Protection; CloudWatch Container Insights; audit logs.Remediation: Kill pods, revoke service account; rotate cluster creds; patch nodes.

8) Amazon ECS (incl. Fargate)

How to Secure: Task roles least-privilege; private networking.Important: Secrets via SSM/Secrets Manager; image scanning; no plaintext env secrets.Prevention: Task definition constraints; SGs per service; deny external egress if not needed.Detection: GuardDuty ECS findings; CloudWatch/FireLens logs; EventBridge on task changes.Remediation: Stop/replace tasks; rotate secrets; block egress SG.

9) Amazon ECR

How to Secure: Private repos; immutable tags; scan on push.Important: KMS-encrypted repos; lifecycle policies.Prevention: Enforce scanning + signed images (Notary/Sigstore).Detection: EventBridge for scan findings; Security Hub integration.Remediation: Block deployment of vulnerable images; delete/expire tags.

10) Amazon CloudFront

How to Secure: TLS 1.2+, HTTPS-only origins, restrict viewer access.Important: Origin Access Control for S3; WAF on distributions; geo/IP restrictions.Prevention: Signed URLs/cookies; enforce HSTS; custom headers to origins.Detection: CloudFront logs + Athena; WAF logs; GuardDuty Malicious IPs list.Remediation: Update behaviors; add WAF rules; invalidate malicious content.

11) Amazon Route 53

How to Secure: DNSSEC for domains; least-privilege changes.Important: Health checks; private hosted zones for internal.Prevention: Registrar lock; MFA on domain transfers.Detection: CloudTrail for ChangeResourceRecordSets; Route 53 Resolver query logs.Remediation: Revert records; transfer lock; block malicious domains via Resolver DNS Firewall.

12) AWS CloudTrail

How to Secure: Enable org-wide; log to dedicated, encrypted S3 with MFA-Delete/versioning.Important: Data Events for S3/Lambda; integrate with CloudWatch/GuardDuty.Prevention: SCP to prevent disabling trails; separate log archive account.Detection: Alarms for root use/Trail changes.Remediation: Re-enable trail; investigate; lock with SCPs.

13) Amazon CloudWatch

How to Secure: Centralize logs; restrict log access.Important: Metric filters for security events; log encryption.Prevention: Standardize log retention + subscription filters.Detection: Alarms for auth failures, config drifts, throttling.Remediation: Trigger SSM/Lambda; update dashboards/alarms.

14) AWS Config

How to Secure: Record all regions; aggregate to security account.Important: Managed rules for CIS/NIST; custom rules for org guardrails.Prevention: Conformance packs; auto-remediation runbooks.Detection: Noncompliance snapshots; drift timelines.Remediation: SSM Automation; Service Catalog constraints.

15) Amazon GuardDuty

How to Secure: Enable org-wide; S3/EKS/RDS protections.Important: ThreatLists; auto-enable new regions.Prevention: Baseline findings → playbooks; suppression for noise.Detection: Continuous intel+ML detections.Remediation: EventBridge → isolate/quarantine; ticket + IR runbook.

16) AWS Security Hub

How to Secure: Enable org-wide; integrate findings sources.Important: Standards (CIS, Foundational Security Best Practices).Prevention: Custom insights; delegated admin.Detection: Findings aggregation + dedupe.Remediation: Automation rules → SSM/Lambda; track status.

17) AWS KMS

How to Secure: Separate admin vs usage roles; key policies tight.Important: CMKs for critical data; rotation; XKS if needed.Prevention: SCP to enforce encryption required; grant least privilege.Detection: CloudTrail for Decrypt, ScheduleKeyDeletion.Remediation: Disable/grant revoke; rotate keys; re-encrypt data.

18) AWS Secrets Manager

How to Secure: Store/rotate secrets; limit retrieval roles.Important: Automatic rotation Lambdas; encryption with KMS CMKs.Prevention: No secrets in code/env; resource policies by VPC endpoint.Detection: CloudTrail GetSecretValue spikes; anomalies.Remediation: Rotate/disable secret; invalidate downstream creds.

19) AWS Systems Manager (SSM)

How to Secure: Use SSM Session Manager instead of SSH.Important: Patch Manager baselines; inventory/compliance.Prevention: Block SSH security groups; managed instances only from specific accounts.Detection: Session logs to CloudWatch/S3; command history.Remediation: Close sessions; apply patches; change baselines.

20) Amazon EBS

How to Secure: Encrypt by default; snapshot governance.Important: KMS CMK; snapshot sharing controls.Prevention: SCP to require encryption; lifecycle on snapshots.Detection: Config rules for unencrypted volumes/snapshots.Remediation: Create encrypted snapshot → new volume; revoke sharing.

21) Amazon EFS

How to Secure: Enforce TLS; mount targets in private subnets.Important: Access Points; POSIX perms; KMS encryption.Prevention: SG allowlist; IAM auth for EFS when applicable.Detection: CloudWatch metrics for surge; Config checks.Remediation: Tighten SGs; rotate access points; re-encrypt.

22) AWS Backup

How to Secure: Central policies; cross-account, cross-region backups.Important: Vault lock (WORM); KMS encryption.Prevention: Backup plans required via SCP/Config.Detection: Backup/restore job failure alarms.Remediation: Retry/alternate region restore; update retention.

23) Amazon DynamoDB

How to Secure: IAM-only access; endpoint-policy limits.Important: KMS CMK encryption; PITR enabled.Prevention: Condition keys (VPCe, source IP); table TTL to reduce data.Detection: CloudTrail data events; throttling/auth alarms.Remediation: Rotate creds; restrict IAM; restore from PITR.

24) Amazon API Gateway

How to Secure: AuthN/Z at the edge; no anonymous unless intended.Important: IAM/Cognito/JWT authorizers; WAF; usage plans + throttling.Prevention: Private APIs via VPC endpoints; schema validation.Detection: Access logs; WAF logs; 4XX/5XX spikes.Remediation: Block keys; update WAF; deploy hotfix stages.

25) Elastic Load Balancing (ALB/NLB)

How to Secure: TLS termination with ACM; SG least-privilege.Important: ALB + WAF; NLB for private TLS passthrough.Prevention: Drop HTTP or redirect to HTTPS; idle timeout tuning.Detection: Access logs; target health anomalies.Remediation: Block paths/IPs; rotate certs; drain/replace targets.

26) AWS WAF

How to Secure: Managed rule groups + custom rules.Important: Rate-based rules; IP reputation lists; Bot Control (if licensed).Prevention: Protect API Gateway/ALB/CloudFront; request size/body limits.Detection: WAF logs → analytics; high block/allow anomalies.Remediation: Tighten patterns; add challenge/captcha; emergency blocklists.

27) AWS Shield (Standard/Advanced)

How to Secure: Enable Advanced for critical public endpoints.Important: DDoS cost protection; proactive engagement.Prevention: Architecture with CloudFront + regionalization.Detection: Shield events; health checks fail.Remediation: Engage SRT; scale edge; temporarily geo-block.

28) Amazon Cognito

How to Secure: Strong password + MFA; app clients scoped.Important: Hosted UI with OAuth/OIDC; user pool advanced security.Prevention: Adaptive authentication; token lifetimes minimal.Detection: CloudWatch auth failures; risk events.Remediation: Lock/disable accounts; rotate app secrets.

29) AWS Organizations

How to Secure: Multi-account; security/infra/log archive separation.Important: SCP guardrails; delegated admins; tag policies.Prevention: Prevent root actions; restrict regions; deny public S3.Detection: CloudTrail org events; drift on SCPs.Remediation: Update SCPs; move OUs; close stray accounts.

30) AWS Control Tower

How to Secure: Landing zone with guardrails.Important: Account Factory; detective/preventive controls enabled.Prevention: Mandatory guardrails for logging, encryption, root MFA.Detection: Control Tower drift + noncompliance.Remediation: Enforce guardrails; repair drift; re-provision accounts.

31) AWS IAM Identity Center (SSO)

How to Secure: Central SSO with IdP; SCIM provisioning.Important: Permission sets least-privilege; session duration limits.Prevention: Enforce MFA; block long-lived access keys.Detection: Audit sign-ins; assignment changes via CloudTrail.Remediation: Revoke sessions; adjust permission sets; rotate creds.

32) AWS CloudFormation

How to Secure: IaC with reviewed templates; change sets.Important: Stack policies; drift detection; parameter constraints.Prevention: cfn-guard rules; Service Catalog to gate deployments.Detection: Stack failures/drift alarms.Remediation: Rollback/stack updates; fix templates; guardrail violations blocked.

33) AWS Service Catalog

How to Secure: Curated, vetted products; constraints.Important: Portfolio access control; tag enforcement.Prevention: Launch constraints roles; parameter limits.Detection: Provisioned product events; access audits.Remediation: Disable products; update constraints; retire versions.

34) AWS CodePipeline/CodeBuild/CodeDeploy

How to Secure: Isolate build roles; scan artifacts and deps.Important: Signed artifacts; least-privilege deploy roles.Prevention: Mandatory code scanning (SAST/SCA); no plaintext secrets.Detection: Pipeline change events; build log anomaly alerts.Remediation: Auto-fail pipeline; revoke artifact; roll back deployment.

35) Amazon SQS

How to Secure: Queue policies strict; server-side encryption.Important: KMS CMK; VPC endpoints + policies.Prevention: Dead-letter queues; least-privilege producers/consumers.Detection: CloudWatch for age/backlog spikes; AccessDenied.Remediation: Throttle producers; fix perms; purge DLQ after review.

36) Amazon SNS

How to Secure: Topic policies; encrypt messages.Important: KMS CMK; subscription confirmation controls.Prevention: Private endpoints only; filter policies to reduce exposure.Detection: Delivery failures; unusual publish rates.Remediation: Restrict publishers/subscribers; rotate creds; disable endpoints.

37) Amazon EventBridge

How to Secure: Scoped rules/targets; bus policies minimal.Important: Partner event sources whitelisted; schema registry access control.Prevention: Use input transformers to drop sensitive data.Detection: Failed invocations; unauthorized PutEvents attempts.Remediation: Tighten bus policy; disable rules; quarantine target.

38) AWS Step Functions

How to Secure: State machine IAM roles least-privilege.Important: Payload encryption; sensitive data redaction.Prevention: Express vs Standard choice aligned with sensitivity; map concurrency limits.Detection: Execution failures/timeouts alarms.Remediation: Stop/cancel executions; roll forward fixed definition.

39) Amazon Redshift

How to Secure: Private subnets; RA3 with managed storage; encryption.Important: IAM/SSO auth; network isolation; audit logging.Prevention: Workload management; restrict COPY/UNLOAD to VPC endpoints/S3 OAC.Detection: STL logs review; performance/auth anomalies.Remediation: Revoke users; rotate creds; snapshot/restore.

40) Amazon OpenSearch Service

How to Secure: VPC access; fine-grained access control.Important: Cognito/SSO for dashboards; node-to-node/TLS enforced.Prevention: IP-based domain policies minimal; block public endpoints.Detection: Slowlog/audit log; CPU/storage spikes.Remediation: Block IPs; rotate master creds; snapshot + redeploy.

41) Amazon EMR

How to Secure: Private subnets; Kerberos; IAM-based access.Important: At-rest/in-transit encryption; managed scaling.Prevention: Security configurations mandatory; instance roles least-privilege.Detection: Step/job failures; cluster config drifts.Remediation: Terminate compromised clusters; re-provision with hardened configs.

42) Amazon SageMaker

How to Secure: Private notebooks/endpoints; VPC-only; encryption.Important: Data isolation per project; role separation (train vs serve).Prevention: No public model endpoints; model/package signing.Detection: Endpoint invocations spikes; model drift/abuse alerts.Remediation: Disable endpoint; rotate creds; retrain/rollback model.

43) Amazon Kinesis (Streams/Firehose)

How to Secure: KMS encryption; producer/consumer IAM scoping.Important: Private VPC endpoints; delivery stream role hardening.Prevention: Data transformation to strip sensitive fields.Detection: Iterator age/backpressure alarms; failed deliveries.Remediation: Scale shards; fix perms; replay from retention.

44) AWS AppSync

How to Secure: Auth via Cognito/IAM/OIDC; schema-level authz rules.Important: Field-level authorization; request/response mapping validation.Prevention: Disable introspection in prod if needed; depth/complexity limits.Detection: 4XX/5XX anomalies; resolver error metrics/logs.Remediation: Revoke API keys; tighten auth rules; patch resolvers.

45) AWS Elastic Beanstalk

How to Secure: Private load balancers when internal; platform patching.Important: Instance profiles least-privilege; encrypted storage.Prevention: Config files to enforce security settings; health checks.Detection: Environment/health anomalies; config drift.Remediation: Rolling updates; rotate secrets; rebuild env from template.

46) Amazon Macie

How to Secure: Classify S3 data; alert on sensitive data exposure.Important: Daily jobs on critical buckets; tie to Security Hub.Prevention: Block public buckets with sensitive classes.Detection: Macie findings on PII leakage.Remediation: Remove public access; encrypt/move data; notify owners.

47) Amazon Detective

How to Secure: Enable across accounts; ingest from GuardDuty/CloudTrail/VPC logs.Important: Behavior graphs to investigate entities.Prevention: N/A (investigation service).Detection: Relationship/anomaly exploration for incidents.Remediation: Feed outcomes to IR playbooks; update guardrails.

48) AWS Network Firewall

How to Secure: Centralized, stateful filtering per VPC.Important: TLS inspection (with proxies), egress controls, domain lists.Prevention: Block known bad IP/URL; restrict outbound to required ports.Detection: Flow/alert logs to CloudWatch/S3/Kinesis.Remediation: Update rule groups; block IOC; segment offending subnets.

49) AWS Firewall Manager

How to Secure: Org-wide policy enforcement for WAF/Shield/Network Firewall.Important: Central admin; apply to OUs with exceptions managed.Prevention: Mandatory baseline rules; drift prevention.Detection: Noncompliant resource reports.Remediation: Auto-apply policies; ticket owners; escalate repeat offenders.

50) AWS Certificate Manager (ACM)

How to Secure: Issue/renew TLS certs via ACM; restrict exportable keys.Important: Enforce TLS 1.2+; rotate before expiry; use Private CA if needed.Prevention: HSTS and perfect-forward secrecy on endpoints.Detection: Expiry alarms; failed validation events.Remediation: Renew/redeploy certs; revoke compromised certs; tighten SANs.