Quick Wins for AWS Security
Most AWS security incidents stem from misconfigurations, not sophisticated attacks. Here are ten settings to audit in your environment today.
1. S3 Bucket Public Access
Check that S3 Block Public Access is enabled at the account level. Then verify each bucket individually. One public bucket can expose your entire dataset.
2. Root Account MFA
The AWS root account should have MFA enabled and should not be used for daily operations. Create IAM users instead.
3. CloudTrail Enabled
CloudTrail should be enabled in all regions, logging to a centralized S3 bucket. Without it, you have no audit trail.
4. IAM Password Policy
Enforce minimum length (12+ characters), require complexity, and enable MFA for all IAM users — especially those with console access.
5. Security Groups
Review security groups for overly permissive rules. Look for 0.0.0.0/0 on SSH (port 22) and RDP (port 3389). These should be restricted to specific IPs or removed entirely.
6. Default VPC
The default VPC in each region has overly permissive security groups and public subnets. Either delete it or lock it down if resources are running there.
7. EBS Encryption
Enable default EBS encryption at the account level. This ensures all new volumes are encrypted without requiring developers to remember.
8. RDS Public Accessibility
Audit RDS instances for public accessibility. Most databases should only be accessible from within your VPC.
9. Access Keys
Audit IAM access keys for age and usage. Keys older than 90 days should be rotated. Keys that haven't been used in 30 days should be deactivated.
10. GuardDuty
Enable Amazon GuardDuty. It's inexpensive, requires zero configuration, and detects a wide range of threats including unauthorized API calls, cryptocurrency mining, and compromised instances.
Making This Sustainable
Run this audit quarterly. Better yet, use AWS Config rules to continuously monitor these settings and alert on drift. Prevention is always cheaper than remediation.