AWS Security Best Practices

When considering deploying any AWS cloud service we should always understand what the best practices really are. These best practices such as the principle of least privilege are tried and true in any environment.

Some AWS best practices are more focused on specific services such as EC2 instances (VMS), Amazon RDS, Amazon S3 or more vague services such as Networking, Monitoring and IAM.

Cloud and Blockchain Training

Here are some of the common AWS Best Practices. Far from an all inclusive list. At the bottom of the page are resources as well to consider referencing.


  1. Understand what the Shared Security Model really is and who does what – Actually review the shared responsibility model and know what the provider does for security and what the user is responsible for.
AWS Shared Security Model

2. IAM Access Keys – Rotate or change your access keys at least once every 60 -90 days.

3. IAM – Use the “Principle of least privilege”. Never give more than what is needed to get a job done.

4. Trusted Advisor – Use trusted advisor for finding the obvious security flaws in your deployments

5. Auditing – The only way to really know what is going on is by using an auditing solution.  Audit access logs, audit permissions, audit resource utilization.  Use Cloud Trail

Yes, you leave that S3 Bucket publicly open with national security info. Thank you…

6. Patching – Patching your hosts is critical. Linux or Windows. Yep, you would be surprised how customers still do not keep patches up to date especially on Linux.

7. Root accounts can be damaging if compromised.  Disable root access for APIs. Never give away the keys to kingdom.

8. Multi Factor Authentication – Ensure that MFA is implementations are enforced.

9. Security Groups – Remove unrestricted port access. Think of a security group as a host based firewall.

10. S3 Buckets – Validate no public access and ensure proper protection of the buckets for compliance

11. Amazon RDS Security Group Access Risks-  grants specific security group permission for VM instance to access from Ips

12. CloudFront SSL Certificates.  Validate that the origin server has current SSL certificates.

There are likely another 30 or 40 more best practices, these were the most common ones to consider from my experience.

FREE AWS Security Specialization Practice Questions

Additional Resources to Review.

AWS NIST Cybersecurity Framework

One resource that actually is relatively new (January 2019) is called the NIST Cybersecurity Framework paper that was developed just around AWS.

Information about NIST CSF risk management practices and how they allow you to properly protect your data across AWS.

https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf?did=wp_card&trk=wp_card

AWS Well Architected Framework

The AWS Well-Architected Framework is based on five pillars — operational excellence, security, reliability, performance efficiency, and cost optimization

https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf?did=wp_card&trk=wp_card

There is also a tool that is part of the practices you should review.

The AWS Well-Architected Tool is now available. The user guide can be located here.  

AWS-Well-Architected-Tool

The AWS Well Architected Tool is very easy to get started with. First , you must enable it. You also need to have your account ID, specify regions and some other simple info.

Amazon Web Services: Overview of Security Processes

Amazon Web Services: Overview of Security Processes whitepapers main goal is to help protect the confidentiality, integrity, and availability of customers’ systems. Protecting data is important to AWS, as is maintaining customer trust and confidence.

https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf

AWS Security Hub

The AWS Security Hub is both a great solid toolset but also a complex toolset. It gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. There are a range of powerful security tools at your disposal, from firewalls and endpoint protection to vulnerability and compliance scanners. Security Hub,provides you with a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions .

https://aws.amazon.com/security-hub/

Deploy Hyperledger Fabric Blockchain on AWS.

Pre Order my book on Amazon! Architecting Enterprise Blockchain Solutions from Wiley Sybex.

https://amzn.to/2SPxErQ

Check out my Youtube as well for helpful videos!

Joe Holbrook, The Cloud Tech Guy Jax, FL

Carry on fellow Blockchain Gurus!

Joseph H. — “Contract” Technical Trainer (IBM Hyperledger Blockchain and Google Cloud) — Pearson |…
Join LinkedIn Joe Holbrook has been in the computer field since 1993 when he was exposed to several HPUX systems on…www.linkedin.com

Leave a Reply