AWS Cloud Security Hardening Checklist

This comprehensive checklist provides essential security hardening measures for AWS cloud environments,
covering identity management, networking, compute resources, storage, encryption, monitoring, web security,
automation, and general security hygiene.

YM by Yogesh V Malvankar
Identity & Access Management (IAM)
Principle of Least Privilege Root User Protection
Follow least privilege: grant only necessary Avoid using AWS account root user; disable
permissions using IAM policies access keys for root

Use AWS managed or customer-managed Restrict root account usage; set strong root
policies instead of inline policies for consistency password and store securely

Authentication Controls Access Analysis & Governance

Enforce MFA on all IAM users (especially Enable IAM Access Analyzer to identify public
privileged) and cross-account access risks

Implement IAM Identity Center (AWS SSO) with Use IAM conditions (aws:SourceIp,
corporate IdP for federated login aws:VpcSourceIp, etc.) for contextual
restrictions
Rotate IAM user access keys every 90 days or
sooner Use Service Control Policies (SCPs) with AWS
Organizations to enforce governance

Additional IAM security measures:

Disable or remove unused IAM users and roles

Tag IAM users and roles for ownership and audit tracking
Enable credential report and regularly review for anomalies
Networking Security
VPC & Subnet Configuration
Implement least privilege security groups; deny all
unless explicitly required
Avoid 0.0.0.0/0 inbound rules except with
appropriate restrictions (e.g., VPN, bastion host)
Use VPC subnets with private/public separation;
place internal workloads in private subnets

Restrict use of public IPs on instances unless

absolutely necessary
Restrict NACLs to further limit allowed traffic

Network Monitoring & Protection

Enable VPC Flow Logs for all VPCs; send logs to CloudWatch Logs or S3
Use AWS Network Firewall or third-party firewall appliances for deep inspection
Configure Route 53 Resolver DNS Firewall to block malicious domains

Secure Connectivity

Use AWS PrivateLink or Transit Gateway for secure internal communication between VPCs
Use VPC endpoints (Gateway/Interface) for AWS service access without public internet
Protect API Gateway endpoints with WAF, resource policies, and authorization
Prefer VPN or Direct Connect for hybrid/cloud-to-cloud connectivity instead of unsecured internet
Compute Hardening

Instance Security Enhanced Protection Management & Maintenance

Use latest Amazon Machine Images Enable AWS Inspector for Use AWS Systems Manager Session
(AMIs) or hardened custom images vulnerability scanning on EC2 and Manager for admin access instead
container workloads of opening SSH/RDP ports
Disable password-based SSH
logins; enforce key-based Enforce EC2 Shielded Instances Automate patching with AWS
authentication with Nitro Enclaves for sensitive Systems Manager Patch Manager
workloads
Enable EC2 Instance Metadata Harden OS configurations based on
Service v2 (IMDSv2) to prevent Enable GuardDuty for runtime threat CIS Benchmarks
SSRF attacks detection
Remove default accounts or rotate
Deploy EC2 instances with IAM credentials in custom AMIs
roles instead of storing keys in
instances
Storage & Database Security
S3 Bucket Protection Database Security
Enforce server-side encryption on all S3 buckets Encrypt RDS and Aurora databases at rest with
with SSE-KMS or SSE-S3 KMS keys
Enable S3 Block Public Access at account and Require SSL/TLS connections for RDS and Aurora
bucket level Use Secrets Manager or Parameter Store to
Review and remediate S3 buckets with public ACLs manage database credentials
or policies Enable automated backups and enable deletion
Use S3 bucket policies with explicit deny for protection for RDS instances
Principal="*" Restrict database security groups to trusted
Enable versioning and MFA Delete for critical networks and applications only
buckets Encrypt EBS volumes with KMS keys; enable
Use S3 Object Lock where regulatory data encryption by default in EC2 settings
immutability is required
Encryption & Monitoring
Encryption & Key Management Monitoring, Logging & Auditing
Use AWS KMS for key management; define key Enable CloudTrail in all regions; send logs to
policies following least privilege centralized S3 bucket with SSE-KMS encryption
Enable automatic key rotation for customer- Enable CloudTrail log file integrity validation
managed KMS keys Turn on CloudTrail Insights for detecting unusual
Limit KMS key usage with IAM policies and KMS API call patterns
key policies Enable AWS Config and configure rules to monitor
Log KMS key usage with CloudTrail compliance
Rotate secrets in Secrets Manager regularly and on Enable GuardDuty for account and workload threat
personnel/role changes detection
Require encryption in-transit (TLS/SSL) for all Enable Security Hub for centralized security
client-server communications posture visibility
Store secrets only in Secrets Manager or Create CloudWatch Alarms for suspicious activities
Parameter Store (SecureString) (root account usage, unauthorized API calls)

Additional monitoring best practices:

Enable VPC Flow Logs; store centrally for analysis

Use AWS CloudWatch Logs and log groups to collect and retain logs

Integrate AWS logs with SIEM solutions

Periodically review CloudTrail, GuardDuty, and Config findings
Web & Application Security

DDoS Protection Web Application Firewall

Use AWS Shield Advanced for enhanced DDoS Use AWS WAF with CloudFront, ALB, or API Gateway
protection on critical resources endpoints

Use AWS Firewall Manager to enforce WAF and

Shield policies at scale

Enable AWS reCAPTCHA (Bot Control) via WAF if

needed

Secure Communication API Security

Require HTTPS with valid TLS certificates; use AWS Protect APIs with Cognito, IAM authorization, or
Certificate Manager for easy management Lambda authorizers

Set HTTP security headers (HSTS, X-Frame- Enable CloudFront origin access control (OAC) to
Options, etc.) in CloudFront/ALB behaviors restrict S3 origin access

Automation, Compliance & Governance

Use AWS CloudFormation, Terraform, or CDK for infrastructure as code

Enable AWS Config conformance packs aligned to CIS, PCI-DSS, or internal standards
Use AWS Organizations with Service Control Policies (SCPs) to control resources
Apply tagging policies with AWS Resource Groups Tag Editor
Periodically run Trusted Advisor checks for security best practices
Enable AWS License Manager to control software license usage
Document architecture diagrams, data flows, and trust boundaries

Test incident response plans at least annually

General Security Hygiene & Common Pitfalls
General Security Hygiene Common Misconfigurations to
Delete unused IAM users, roles, keys, instances, or
Avoid
resources Avoid assigning overly permissive IAM policies
Regularly prune inactive resources to reduce (e.g., _:_)
attack surface Avoid S3 buckets with unintended public access
Require VPN or private connectivity for Avoid open security group ingress rules (0.0.0.0/0
management interfaces (e.g., bastion hosts) on ports 22/3389/80/443 without restrictions)
Review AWS Trusted Advisor regularly for cost and Don't disable CloudTrail or fail to deploy it in all
security optimization regions
Subscribe to AWS Security Bulletins and alerts Avoid leaving default VPC security groups with
Educate teams on AWS security best practices unrestricted rules
Maintain an updated asset inventory with AWS Avoid using static credentials in applications
Config + Resource Explorer Avoid broad SCP exclusions at AWS Organization
level

Pro Tips

Governance Monitoring
Use AWS Control Tower for multi-account governance Regularly review Security Hub scores and automate
with landing zones findings remediation

Set budgets and billing alerts to detect unexpected

charges

Automation Compliance
Automate drift detection on CloudFormation stacks Leverage AWS Well-Architected Tool to review security
pillar compliance quarterly