Security Best Practices
Security in the cloud is a shared responsibility between AWS and you. AWS secures the infrastructure, but you're responsible for securing your applications, data, and access controls. In this lesson, we'll explore essential AWS security practices that every cloud practitioner should know.
What You'll Learn
By the end of this lesson, you'll understand the shared responsibility model, IAM best practices, encryption options, network security, monitoring, and how to implement a defense-in-depth approach.
The Shared Responsibility Model
AWS security is based on the shared responsibility model - AWS and customers share security duties.
AWS Responsibility: Security OF the Cloud
AWS secures the underlying infrastructure:
- Physical data center security
- Hardware and networking infrastructure
- Hypervisor and virtualization layer
- Managed service components (RDS engine, Lambda runtime)
Your Responsibility: Security IN the Cloud
You secure what you build on AWS:
- IAM users, roles, and policies
- Data encryption (at rest and in transit)
- Network configuration (security groups, NACLs)
- Operating system and application security
- Customer data
Responsibility Varies by Service
| Service Type | AWS Manages | You Manage |
|---|---|---|
| IaaS (EC2) | Hardware, network | OS, applications, data |
| PaaS (RDS) | Hardware, OS, patches | Data, access control |
| SaaS (S3) | Everything except | Data, access policies |
IAM Security Best Practices
Identity and Access Management is your first line of defense.
1. Secure the Root Account
The root user has unrestricted access - treat it carefully:
- Enable MFA immediately - Hardware key or virtual MFA
- Never use root for daily tasks - Create IAM users instead
- Never create access keys for root - Use IAM users if programmatic access is needed
- Store root credentials securely - Password manager, documented recovery process
2. Principle of Least Privilege
Grant only the permissions needed to perform a task:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::specific-bucket/*"
}
]
}
Not this:
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
3. Use IAM Roles, Not Access Keys
For applications running on AWS:
Bad: Store access keys in application code or environment variables
Good: Attach IAM role to EC2 instance, Lambda function, or ECS task
Roles provide temporary credentials that auto-rotate.
4. Enable MFA for All Users
Require MFA for all IAM users, especially those with console access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
5. Use IAM Groups
Manage permissions through groups, not individual users:
Developers Group → DeveloperPolicy
├── alice
├── bob
└── charlie
Admins Group → AdministratorPolicy
├── dave
└── eve
6. Regularly Review Permissions
Use these tools:
- IAM Access Analyzer - Find resources shared externally
- IAM Access Advisor - See unused permissions
- AWS Organizations SCPs - Enforce guardrails across accounts
Encryption
Protect data at rest and in transit.
Encryption at Rest
Most AWS services support encryption at rest:
| Service | Encryption Option |
|---|---|
| S3 | SSE-S3, SSE-KMS, SSE-C |
| EBS | AWS-managed or customer-managed keys |
| RDS | Enable at database creation |
| DynamoDB | Always encrypted with AWS-managed keys |
AWS Key Management Service (KMS)
KMS manages encryption keys:
- AWS-managed keys - AWS creates and manages, no cost
- Customer-managed keys - You control rotation, access policies
- Customer-provided keys - You manage entirely outside AWS
KMS Best Practices:
- Use customer-managed keys for sensitive data
- Enable automatic key rotation
- Apply least privilege to key policies
- Use separate keys for different environments
Encryption in Transit
Always use HTTPS/TLS:
- CloudFront - HTTPS by default, HTTP redirect available
- ALB/NLB - Configure TLS certificates
- API Gateway - HTTPS endpoints only
- RDS - Enable SSL/TLS connections
Network Security
Control network access at multiple layers.
VPC Design
Design VPCs with security in mind:
VPC (10.0.0.0/16)
├── Public Subnet (10.0.1.0/24)
│ ├── NAT Gateway
│ └── Bastion Host (if needed)
├── Private Subnet (10.0.2.0/24)
│ ├── Application Servers
│ └── Lambda functions
└── Database Subnet (10.0.3.0/24)
└── RDS instances
Security Groups
Virtual firewalls for EC2 instances:
Inbound Rules (Default: Deny All):
Type Protocol Port Source
SSH TCP 22 10.0.1.0/24 (bastion subnet)
HTTP TCP 80 sg-loadbalancer (LB security group)
Outbound Rules (Default: Allow All): Consider restricting outbound traffic too.
Best Practices:
- Use security group references, not CIDR blocks when possible
- Remove default inbound rules
- Document each rule's purpose
- Regularly audit security groups
Network ACLs
Subnet-level firewalls with numbered rules:
Rule# Type Protocol Port Source Action
100 HTTP TCP 80 0.0.0.0/0 ALLOW
110 HTTPS TCP 443 0.0.0.0/0 ALLOW
* All All All 0.0.0.0/0 DENY
Security Groups vs NACLs:
| Feature | Security Groups | NACLs |
|---|---|---|
| Level | Instance | Subnet |
| State | Stateful | Stateless |
| Rules | Allow only | Allow and Deny |
| Evaluation | All rules | First match |
VPC Flow Logs
Log network traffic for analysis:
2 123456789012 eni-abc123 10.0.1.5 10.0.2.10 443 49152 6 10 1000 ACCEPT OK
Enable on VPC, subnet, or individual ENIs. Store in CloudWatch Logs or S3.
Data Protection
S3 Security
S3 is a common attack target:
- Block public access - Enable at account and bucket level
- Use bucket policies - Explicit least-privilege access
- Enable versioning - Protect against accidental deletion
- Enable logging - Track access to sensitive buckets
- Use encryption - SSE-S3 minimum, SSE-KMS for sensitive data
Secrets Management
Never hardcode secrets:
AWS Secrets Manager:
- Store database credentials, API keys
- Automatic rotation support
- $0.40/secret/month + API charges
AWS Systems Manager Parameter Store:
- Store configuration and secrets
- SecureString type for encryption
- Free for standard parameters
import boto3
secrets = boto3.client('secretsmanager')
secret_value = secrets.get_secret_value(SecretId='prod/database')
credentials = json.loads(secret_value['SecretString'])
Monitoring and Auditing
AWS CloudTrail
Records API calls across your AWS account:
- Who made the request
- What action was taken
- When it occurred
- Where (which region, resource)
Enable CloudTrail:
- Create trail
- Apply to all regions
- Store in S3 bucket
- Enable log file validation
Amazon GuardDuty
Intelligent threat detection:
- Analyzes CloudTrail, VPC Flow Logs, DNS logs
- Detects compromised instances, reconnaissance, data exfiltration
- Machine learning identifies anomalies
Enable with one click - no configuration needed.
AWS Security Hub
Aggregates security findings from multiple services:
- Runs automated security checks
- Consolidates findings from GuardDuty, Inspector, IAM Access Analyzer
- Provides compliance dashboards (CIS, PCI-DSS)
Amazon Inspector
Automated vulnerability scanning:
- EC2 instance vulnerability assessment
- Container image scanning
- Lambda function scanning
- Integrates with CI/CD pipelines
Defense in Depth
Layer multiple security controls:
Internet
│
▼
[AWS Shield / WAF] ← DDoS protection, web filtering
│
▼
[CloudFront] ← Edge security, HTTPS
│
▼
[ALB with TLS] ← Load balancer, SSL termination
│
▼
[Security Groups] ← Instance-level firewall
│
▼
[Application] ← Authentication, authorization
│
▼
[Encrypted Data] ← Encryption at rest
If one layer fails, others provide protection.
Incident Response
Prepare for security incidents:
Preparation
- Document response procedures
- Set up alerts for suspicious activity
- Practice incident scenarios
- Use AWS Organizations for account isolation
Detection
- CloudWatch Alarms for unusual patterns
- GuardDuty for threat detection
- Custom metrics for business-specific anomalies
Response
- Have runbooks for common incidents
- Use AWS Systems Manager for automated response
- Preserve evidence (don't delete logs)
- Know your escalation paths
Compliance
AWS provides compliance tools:
- AWS Artifact - Access compliance reports (SOC, PCI, HIPAA)
- AWS Config - Track resource configurations over time
- AWS Config Rules - Automated compliance checking
- Security Hub - Compliance score against frameworks
Security Checklist
Before going to production:
- Root account has MFA, no access keys
- IAM users have MFA, least privilege
- Applications use IAM roles, not access keys
- Encryption enabled for sensitive data (at rest and in transit)
- VPC designed with public/private subnet separation
- Security groups follow least privilege
- S3 buckets have public access blocked
- Secrets stored in Secrets Manager or Parameter Store
- CloudTrail enabled in all regions
- GuardDuty enabled
- Billing alerts configured
- Incident response procedures documented
Key Takeaways
- Shared responsibility means AWS secures infrastructure; you secure your applications
- IAM is foundational - use MFA, least privilege, roles over access keys
- Encrypt data at rest (KMS) and in transit (TLS)
- Network security uses layers: VPCs, security groups, NACLs
- Monitor with CloudTrail, GuardDuty, and Security Hub
- Defense in depth layers multiple controls
- Prepare for incidents with runbooks and automation
What's Next
Security is essential, but so is managing costs. In the final lesson, we'll explore AWS cost management and the Free Tier - ensuring you get the most value from your cloud investment.