safeINIT
Security

AWS security best practices for protecting your cloud infrastructure

Core AWS security practices to protect cloud workloads from misconfigurations, unauthorized access, and data breaches.

safeINIT

AWS security best practices protect cloud workloads from cyber threats, misconfigurations, and unauthorized access. Without strong controls in place, an environment is exposed to data breaches, compliance gaps, and direct financial loss.

What you'll learn

This guide covers the AWS security practices that matter most for authentication, auditing, and network access, so you can reduce risk and tighten your cloud security posture.

Why AWS security matters

AWS runs on a Shared Responsibility Model. AWS secures the underlying cloud infrastructure, and you secure your workloads, data, and configurations on top of it.

source: aws.amazon.com/compliance/shared-responsibility-model

When AWS security practices are missing or half-applied, a few things tend to go wrong:

  • Misconfigured S3 buckets, weak IAM policies, and unencrypted data expose sensitive information.
  • Attackers can take over AWS accounts that lack multi-factor authentication (MFA) and strict IAM roles.
  • Regulated industries such as healthcare, finance, and government have to meet specific requirements (HIPAA, SOC 2, GDPR), and weak controls put that at risk.
  • A compromised account can lead to crypto-jacking, runaway resource consumption, and downtime that costs real money.

Even large, well-resourced organizations have leaked data because an AWS service was left misconfigured.

Key definition

The AWS Shared Responsibility Model sets the dividing line: AWS secures the cloud, you secure what you put in it (your data, apps, and settings).

The practices that matter most

Securing an AWS environment comes down to three areas: authentication, auditing, and network access.

Not every control is equally urgent. Some are critical and should go in immediately. Others improve your position over the longer term. The practices below are ordered by how much they move the needle.

Logging in to the AWS console

How people authenticate to the console is where account security starts. Weak credentials, missing MFA, and over-broad permissions all open the door to unauthorized access.

  • Critical: secure the AWS root account

    The root account has full access to every service and should never be used for daily work.

    • Delete root access keys so they cannot leak.
    • Keep the root password out of shared documents.
    • Require MFA for any root account access.

  • High priority: secure IAM users

    Mismanaged IAM permissions are one of the most common security risks in AWS. To reduce the exposure:

    • Set a strong password policy with complexity requirements.
    • Follow the principle of least privilege and grant only the permissions a user actually needs.
    • Enable MFA for all IAM users, especially administrators and service accounts.

  • Recommended: use AWS IAM Identity Center (formerly AWS SSO)

    For centralized authentication:

    • Create users in IAM Identity Center rather than as standalone IAM users.
    • Assign roles and policies by job function.
    • Enforce MFA through IAM Identity Center.

  • Nice to have: federate IAM Identity Center with an identity provider (IdP)

    Managing IAM users by hand gets error-prone as a team grows. Instead:

    • Connect AWS to an external IdP such as Okta, Google Workspace, or Active Directory.
    • Hand password management and MFA enforcement to the IdP so you carry less administrative overhead.

Auditing actions in AWS

Auditing gives you visibility into what is happening in your environment, which is how you catch misconfigurations, unauthorized access, and threats before they spread. Logging and monitoring also underpin compliance and incident response.

  • Critical: enable AWS CloudTrail for full visibility

    Without CloudTrail you have no record of user actions, which makes breaches hard to detect. To get full coverage:

    • Enable CloudTrail across all AWS regions so API activity is logged everywhere.
    • Store CloudTrail logs in encrypted Amazon S3 buckets with restricted IAM access.
    • Feed CloudTrail logs into AWS Security Hub and Amazon GuardDuty for real-time threat detection.

  • High priority: protect log files from tampering

    If logs can be altered, they are worthless for investigations and compliance. To keep them trustworthy:

    • Encrypt logs stored in S3 using AWS KMS.
    • Apply strict IAM policies so only a small set of identities can modify or delete logs.

  • Recommended: connect AWS CloudWatch for real-time monitoring

    Real-time monitoring shortens the gap between a security event and your response. A good starting point:

    • Set up CloudWatch alarms for events like repeated failed logins.
    • Route notifications through Amazon SNS so the right people hear about critical activity fast.

Network security

Unrestricted network access is one of the bigger risks in an AWS environment. Segmentation, tight access control, and secure connectivity shrink the attack surface and make breaches less likely.

  • Critical: apply least privilege to network access

    Network access deserves the same least-privilege treatment as IAM. To do that:

    • Allow only the minimum traffic each resource needs.
    • Name exact IP addresses or CIDR blocks in your access rules rather than opening things up broadly.

  • Nice to have: restrict access with security groups and NACLs

    Misconfigured network settings cause a large share of security incidents. To narrow the gap:

    • Rather than opening all ports, allow only the ones you need (for example, port 22 for SSH).
    • Use network ACLs to set explicit allow and deny rules for inbound and outbound traffic.

  • Recommended: re-architect the network for security

    A well-structured network limits lateral movement when something does get in. The fundamentals:

    • Split workloads across separate private and public subnets.
    • Keep databases and internal services in private subnets so they are not directly reachable from the internet.
    • Use AWS Systems Manager Session Manager for access to private resources instead of opening SSH or RDP ports.

What this looks like in practice

Applying these practices pays off beyond passing an audit. It protects data, keeps costs in check, and makes systems more reliable.

Take Asociația TechSoup, a non-profit. After a Well-Architected Framework Review and remediation, they cut AWS costs by 50% and tightened security at the same time.

The security work covered three fronts:

  • Identity and access: they enforced MFA, applied least privilege, and moved to AWS IAM Identity Center for better account control.
  • Network and threat protection: they added AWS Web Application Firewall (WAF), private subnets, and stricter security group rules to cut exposure.
  • Logging and encryption: they turned on AWS CloudTrail and GuardDuty for monitoring, and used AWS KMS encryption to protect sensitive data.

The full success story walks through how they closed the gaps while bringing costs down.

Conclusion

AWS gives you a secure foundation, but misconfigurations, weak access controls, and missing monitoring are where most of the risk sits, and those are yours to manage. Securing your identities, data, and network configurations is what keeps unauthorized access and compliance gaps from becoming incidents.

Take a security-first approach and your AWS workloads stay protected, hold up against requirements like HIPAA and GDPR, and stay resilient as threats change.

Frequently asked questions

Why do logging and auditing matter in AWS security?

They are how you spot unauthorized access, misconfigurations, and threats. Enabling AWS CloudTrail records all API activity, and storing those logs in encrypted Amazon S3 buckets keeps them from being tampered with. Feeding CloudTrail into AWS Security Hub and GuardDuty gives you real-time threat detection on top of that record.

How do I keep unauthorized people out of my AWS account?

Use IAM roles instead of standalone IAM users, restrict what each identity can do with IAM policies, and review permissions regularly with IAM Access Analyzer. AWS CloudTrail then lets you watch login attempts, and AWS Security Hub flags potential threats.

How do I stop my S3 buckets from being publicly accessible?

Enable S3 Block Public Access, restrict access with IAM policies, encrypt objects with AWS KMS, and turn on S3 Access Logs to track activity. Audit S3 permissions on a regular basis using AWS Config and AWS Trusted Advisor so no unintended public access slips through.

What's the best way to detect and respond to threats in AWS?

AWS gives you several detection services: GuardDuty for anomaly detection, Security Hub for centralized monitoring, CloudTrail for API logging, and AWS Config for tracking misconfigurations. To act fast on what they find, set up real-time alerts and automated responses with AWS Lambda and Amazon SNS.

Why are IAM roles better than IAM users?

IAM roles hand out temporary credentials, so there are no long-lived keys sitting around to leak. They also fit the principle of least privilege, granting access only when it's needed. That makes them easier to manage and lowers the chance that a compromised credential turns into unauthorized access to your resources.

Back to blog

Continue reading

Serverless
18 Jul 2025

We built a serverless real time leaderboard for AWS Community Day and gave away an iPad

How we built an interactive quiz leaderboard for AWS Community Day, and the serverless architecture behind it.

Read article
HIPAA
5 May 2025

5 HIPAA Compliance Requirements startups usually miss

The HIPAA requirements health-tech startups overlook when moving fast, and what it takes to handle PHI safely.

Read article
Serverless
1 May 2025

Serverless architecture done right: How to build event-driven architectures

How serverless removes infrastructure management on AWS, and how to design event-driven systems that scale cleanly.

Read article