AWS Logo
Menu
AWS Cloud Security

AWS Cloud Security

Elevate your cloud security with simple procedures

security
Saketh Gaddam
Amazon Employee
Published Mar 27, 2025
Security is our top priority at AWS. We often get asked by customers where they should start and what is the easiest, most effective ways to secure your AWS workloads. To address this, we have collected the following 6 steps that are easy to implement, and our Security experts have created an AWS Well Architected Lab to help you get started.
Protect Privileged Credentials (AWS Lab)
The very first line of defence is to protect the credentials you use to access your AWS environment, specifically the root user, with Multi Factor Authentication (MFA). We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones.
Use Temporary Credentials (AWS Lab)
You should avoid using IAM access keys to access your AWS resources. Using IAM Roles with the minimum necessary permissions, and assigning those roles to your AWS resources, is an easier and more scalable way to allow authorised people to use your AWS resources securely.
Replace Hardcoded Credentials (AWS Lab)
Usernames and passwords, API Keys and other secrets are essential to make sure your applications and workloads can access the right resources with the right access levels, but hard coding those secrets in code and configuration files is risky and hard to manage. AWS Secrets Manager is a great way to store, rotate and retrieve secrets securely as well as making them simpler to manage.
Limit Network Access (AWS Lab)
Once you are sure your credentials and secrets are safe, limiting the access to your network is the next logical step. Using AWS Trusted Advisor to identify VPC Security Groups to limit, AWS Systems Manager to configure your Security Groups and Systems Manager - Session Manager for remote access, removing the need for opening remote access ports on your Security Groups.
Apply patches (AWS Lab)
Patching your instances ensures that they have the latest security updates from the Operating System provider, but it can be time consuming to identify and patch those resources. You can use Amazon Inspector to scan for vulnerabilities and AWS Systems Manager for automatic patching.
Restrict Public Storage (AWS Lab)
And last but not least, you need to make sure your files are secure by blocking public access to our Amazon S3 buckets.
Where to from here?
The steps listed above are a good starting point, but there are many other resources, guides and workshops available to share best practices around how to securely run your workloads in the AWS Cloud. Below is a list of potential next steps and useful resources to help you and your team on your security journey.
  1. Amazon GaurdDuty provides a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. Amazon GaurdDuty is available as a 30-day free trial which will give you full access to its features.
  2. AWS Shield AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. To enhance the protection of your Application Perimeter against cyber attacks, we recommend services like AWS WAF(Web Application Firewall), AWS Shield Advanced (Managed DDoS Protection) and AWS Firewall Manager (Manage firewall rules across AWS accounts).
  3. The AWS Well-Architected framework helps customers build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads, and consist of 5 pillars: Operational Excellence, Security, Reliability, Performance and Cost Optimisation; and has various lenses to extend the review to specific industry and technology domains. The Security Pillar offers guidance on best practices and recommendations for the design, delivery and maintenance of secure AWS workloads, and is a good place to start. If you feel that you or your team need to dive deeper on your security requirements, please reach out to your Account Manager or Solutions Architect to arrange a Well Architected Review.
  4. For Small to Medium businesses, we have designed a lightweight engagement model, called Security Onramp, run by our Solutions Architecture team and serves as an introductory security review to baseline your AWS accounts and ensure that security fundamentals are in place.
  5. Implementing multiple AWS accounts for your workload improves your security by isolating parts of your workload to limit the blast radius. It is strongly recommended that you set up your account landing zone with AWS Control Tower as it is a managed service supported directly by AWS and includes many best practices and guardrails.
Useful resources
Finally, building your organisations capability around security will help your business grow its security competency and increase its security posture over time while staying up to date with the latest security technology and trends out there to help protect your AWS workloads. Below are some useful resources:
  1. AWS Security Essentials Classroom Training
  2. AWS Security Labs
  3. AWS Top 10 Security Items Blog
  4. AWS Best Practice for DDoS Resiliency Whitepaper
  5. AWS Security Whitepapers and Guides
  6. AWS Skill Builder (Free Training)
     

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments