Introduction: AWS Shared Responsibility Model
AWS operates under a shared responsibility model where AWS manages security of the cloud (infrastructure, hardware, software), while customers are responsible for security in the cloud (data, configurations, access management). This cheatsheet provides comprehensive security controls across all major AWS security domains to help you fulfill your responsibilities.
| AWS Responsibilities | Customer Responsibilities |
|---|---|
| Physical security of data centers | Data encryption and integrity |
| Hardware and software infrastructure | Identity and access management |
| Network infrastructure | Operating system configuration |
| Virtualization infrastructure | Network traffic protection |
| Service and communications encryption | Firewall configurations |
Security Assessment & Compliance Checklist
Initial Security Assessment
- [ ] Document all AWS accounts, regions, and resources in use
- [ ] Identify data classification levels for all stored data
- [ ] Map compliance requirements to AWS services and controls
- [ ] Perform gap analysis against relevant compliance frameworks
- [ ] Establish security baselines for all AWS service configurations
Continuous Compliance
- [ ] Implement AWS Config for configuration monitoring
- [ ] Deploy AWS Security Hub to aggregate security findings
- [ ] Use AWS Audit Manager for compliance evidence collection
- [ ] Schedule regular vulnerability assessments and penetration tests
- [ ] Implement automated compliance checks using AWS Config Rules
Compliance Documentation
- [ ] Document all security controls mapped to compliance requirements
- [ ] Maintain evidence of security control effectiveness
- [ ] Define procedures for handling compliance exceptions
- [ ] Establish security metrics and reporting processes
- [ ] Conduct regular compliance reviews and remediation
AWS Account & Organization Security Controls
Account Structure
- [ ] Implement multi-account strategy using AWS Organizations
- [ ] Separate production and non-production environments into different accounts
- [ ] Use dedicated accounts for security functions and logging
- [ ] Establish Organizational Units (OUs) aligned with business functions
- [ ] Implement Service Control Policies (SCPs) to enforce guardrails
Root Account Protection
- [ ] Lock away root user credentials
- [ ] Enable MFA on root accounts
- [ ] Remove access keys from root accounts
- [ ] Delegate administrative tasks to IAM roles
- [ ] Monitor and alert on any root account usage
Organizations Security
- [ ] Enable all AWS Organizations features, especially SCP support
- [ ] Implement SCPs to restrict privileged actions across accounts
- [ ] Enable AWS CloudTrail across all organization accounts
- [ ] Configure centralized security logging
- [ ] Use AWS Control Tower for account governance
Identity & Access Management (IAM) Controls
User Management
- [ ] Enforce strong password policy (minimum 14 characters with complexity)
- [ ] Require MFA for all human users
- [ ] Implement just-in-time access for privileged operations
- [ ] Remove all inactive user accounts and access keys
- [ ] Regularly audit user permissions
Authentication Controls
- [ ] Implement federated identity management for corporate users
- [ ] Use AWS SSO or third-party identity provider
- [ ] Enforce MFA for console access
- [ ] Implement secure token handling for programmatic access
- [ ] Rotate credentials regularly per compliance requirements
Authorization Controls
- [ ] Implement least privilege access model
- [ ] Use IAM roles instead of IAM users for applications
- [ ] Apply permission boundaries to delegated roles
- [ ] Regularly review and remove unused permissions
- [ ] Implement attribute-based access control where appropriate
IAM Policy Management
- [ ] Document and version control all custom IAM policies
- [ ] Review policies for overly permissive settings (“*” wildcards)
- [ ] Implement conditions in policies to further restrict access
- [ ] Use AWS Access Analyzer to identify unintended access
- [ ] Implement emergency access process
Data Protection & Encryption
Data Classification
- [ ] Classify data by sensitivity and regulatory requirements
- [ ] Tag resources according to data classification
- [ ] Implement controls based on classification level
- [ ] Document data lifecycle for each classification
- [ ] Regularly audit data access patterns
Encryption at Rest
- [ ] Enable default encryption for all storage services
- [ ] Use AWS KMS for key management
- [ ] Implement customer managed keys (CMKs) for sensitive data
- [ ] Establish key rotation policies
- [ ] Audit and restrict KMS key usage
Encryption in Transit
- [ ] Enforce TLS 1.2+ for all API communications
- [ ] Configure secure ciphers and protocols
- [ ] Implement VPN or Direct Connect for secure on-premises connections
- [ ] Use AWS Certificate Manager for TLS certificate management
- [ ] Monitor and remediate insecure protocols
Key Management
- [ ] Implement segregation of duties for key administration
- [ ] Use multi-region keys for disaster recovery scenarios
- [ ] Implement key aliases for easier management
- [ ] Regularly audit key policies and usage
- [ ] Implement automated alerting for key policy changes
Network Security Controls
VPC Security
- [ ] Implement VPC flow logs for all VPCs
- [ ] Use private subnets for all non-public resources
- [ ] Implement network ACLs as first line of defense
- [ ] Restrict default security groups to deny all traffic
- [ ] Use Transit Gateway for centralized network management
Security Group Management
- [ ] Follow principle of least privilege for all security groups
- [ ] Document purpose and ownership for each security group
- [ ] Remove overly permissive rules (0.0.0.0/0)
- [ ] Implement tagging strategy for security groups
- [ ] Regularly audit security group rule changes
Traffic Control
- [ ] Implement AWS Shield for DDoS protection
- [ ] Use AWS WAF for application layer protection
- [ ] Implement AWS Network Firewall for network traffic filtering
- [ ] Deploy VPC endpoints for AWS service access
- [ ] Use Gateway Load Balancer for advanced traffic inspection
Network Monitoring
- [ ] Enable VPC Flow Logs with CloudWatch integration
- [ ] Implement traffic pattern analysis and alerting
- [ ] Deploy Network Access Analyzer for path analysis
- [ ] Use AWS Transit Gateway Network Manager for global network visibility
- [ ] Implement automated remediation for network security violations
Compute Security Controls
EC2 Security
- [ ] Use hardened AMIs for all instances
- [ ] Implement instance patching automation (AWS Systems Manager)
- [ ] Deploy agent-based protection (GuardDuty, Inspector)
- [ ] Use IMDSv2 and require token-based metadata access
- [ ] Implement instance profile roles instead of access keys
Container Security
- [ ] Scan container images for vulnerabilities
- [ ] Implement least privilege for task execution roles
- [ ] Use private ECR repositories with image scanning enabled
- [ ] Implement ECS/EKS cluster security controls
- [ ] Follow container security best practices (non-root users, read-only filesystems)
Serverless Security
- [ ] Implement least privilege for Lambda execution roles
- [ ] Configure Lambda functions in VPC when accessing private resources
- [ ] Set appropriate Lambda function timeouts
- [ ] Validate and sanitize all event data
- [ ] Audit Lambda environment variables for sensitive data
Host-Based Security
- [ ] Deploy AWS Systems Manager for patch management
- [ ] Implement Amazon Inspector for vulnerability assessment
- [ ] Use Systems Manager Session Manager instead of SSH
- [ ] Configure OS-level security controls and hardening
- [ ] Implement automated compliance checks
Storage Security Controls
S3 Security
- [ ] Block all public access at account level
- [ ] Implement bucket policies following least privilege
- [ ] Enable versioning for critical buckets
- [ ] Enable server-side encryption with KMS
- [ ] Implement S3 object lock for critical data
EBS Security
- [ ] Enable encryption by default for all EBS volumes
- [ ] Implement regular snapshot backups
- [ ] Secure snapshot sharing processes
- [ ] Implement tagging for encryption verification
- [ ] Delete unattached EBS volumes
Other Storage Services
- [ ] Encrypt EFS filesystems
- [ ] Secure FSx with appropriate security groups
- [ ] Implement encryption for Storage Gateway
- [ ] Secure access to AWS Backup vaults
- [ ] Configure appropriate retention policies for all storage
Database Security Controls
RDS Security
- [ ] Enable encryption for all database instances
- [ ] Place databases in private subnets
- [ ] Implement strict security group rules
- [ ] Enable automated backups with appropriate retention
- [ ] Use IAM database authentication where supported
DynamoDB Security
- [ ] Enable encryption at rest
- [ ] Implement fine-grained access control with IAM
- [ ] Configure appropriate auto-scaling
- [ ] Implement point-in-time recovery
- [ ] Use VPC endpoints for secure access
Database Monitoring
- [ ] Enable database audit logging
- [ ] Implement query monitoring for suspicious activity
- [ ] Configure automated snapshot copies to secure location
- [ ] Monitor database configuration changes
- [ ] Implement alerting for database security events
Detection & Monitoring Controls
AWS Services for Detection
- [ ] Deploy GuardDuty for threat detection (all regions)
- [ ] Implement AWS Security Hub for consolidated security views
- [ ] Enable Amazon Detective for security investigation
- [ ] Deploy AWS Config for configuration monitoring
- [ ] Use AWS CloudTrail for API activity monitoring
Logging Configuration
- [ ] Enable CloudTrail in all regions with log file validation
- [ ] Centralize logs in a dedicated logging account
- [ ] Configure S3 access logging for sensitive buckets
- [ ] Enable VPC Flow Logs for all VPCs
- [ ] Configure CloudWatch Logs for application logging
Alerting & Monitoring
- [ ] Implement CloudWatch alarms for critical security events
- [ ] Configure GuardDuty findings to trigger automated responses
- [ ] Establish alert severity and response procedures
- [ ] Deploy dashboards for security visibility
- [ ] Implement regular reviews of security findings
AI-Based Detection
- [ ] Use GuardDuty machine learning capabilities
- [ ] Analyze CloudTrail with Amazon Macie for sensitive data exposure
- [ ] Implement Amazon Detective for security graph analysis
- [ ] Configure anomaly detection in CloudWatch
- [ ] Review AI-based findings for false positives
Incident Response & Recovery
Incident Preparation
- [ ] Document incident response procedures for AWS
- [ ] Define roles and responsibilities for incident handling
- [ ] Implement break-glass emergency access procedures
- [ ] Establish communication channels and escalation paths
- [ ] Conduct regular incident response exercises
Incident Detection
- [ ] Implement automated alerting for security events
- [ ] Configure AWS EventBridge for security event routing
- [ ] Establish 24×7 monitoring capabilities
- [ ] Define clear incident severity levels
- [ ] Deploy honeypot resources for early threat detection
Incident Response
- [ ] Define containment strategies for different AWS services
- [ ] Implement automated response with AWS Lambda
- [ ] Use Systems Manager for secure incident investigation
- [ ] Establish evidence preservation procedures
- [ ] Implement service isolation procedures
Recovery & Post-Incident
- [ ] Maintain secure backups for all critical resources
- [ ] Document recovery time objectives (RTOs) and procedures
- [ ] Implement infrastructure as code for reliable recovery
- [ ] Conduct post-incident reviews and lessons learned
- [ ] Update security controls based on incidents
Automation & Infrastructure as Code Security
Secure CI/CD Pipelines
- [ ] Implement least privilege for pipeline execution roles
- [ ] Scan infrastructure as code templates for vulnerabilities
- [ ] Conduct automated security testing in pipelines
- [ ] Securely manage pipeline credentials
- [ ] Implement approval gates for sensitive deployments
CloudFormation Security
- [ ] Review and validate CloudFormation templates
- [ ] Implement drift detection for infrastructure
- [ ] Use CloudFormation Guard for policy compliance
- [ ] Implement secure parameter handling
- [ ] Version control all templates
AWS CDK Security
- [ ] Implement security best practices in CDK constructs
- [ ] Conduct code reviews of CDK applications
- [ ] Implement security testing for CDK outputs
- [ ] Use IAM roles with least privilege for CDK deployment
- [ ] Maintain CDK dependencies securely
Advanced Cloud Security Topics
Supply Chain Security
- [ ] Validate the security of third-party AWS solutions
- [ ] Implement secure AWS Marketplace deployment procedures
- [ ] Verify IAM permissions requested by third-party solutions
- [ ] Conduct vendor security assessments for AWS integrations
- [ ] Monitor third-party service access to AWS resources
Threat Hunting
- [ ] Develop AWS-specific threat hunting playbooks
- [ ] Analyze CloudTrail logs for unusual patterns
- [ ] Hunt for unusual identity activity across services
- [ ] Investigate suspicious network traffic patterns
- [ ] Monitor for unauthorized resource creation
Security Operations Center (SOC)
- [ ] Establish AWS-specific monitoring procedures
- [ ] Implement cross-account security visibility
- [ ] Define AWS security metrics and KPIs
- [ ] Create playbooks for common AWS security alerts
- [ ] Conduct regular AWS security exercises
Security Budget Optimization
Cost-Effective Security
- [ ] Right-size security monitoring resources
- [ ] Implement multi-account security service deployment
- [ ] Optimize log storage and retention
- [ ] Use automation to reduce manual security work
- [ ] Regularly review security service usage and costs
Security Tool Rationalization
- [ ] Evaluate AWS native vs. third-party security solutions
- [ ] Implement integration between security tools
- [ ] Eliminate duplicate security functions
- [ ] Assess security tool effectiveness regularly
- [ ] Document security tool coverage and gaps
Service-Specific Security Checklists
API Gateway
- [ ] Implement AWS WAF for API protection
- [ ] Use API keys and usage plans
- [ ] Enable CloudWatch logging for API requests
- [ ] Implement request validation
- [ ] Use custom authorizers for complex authentication
CloudFront
- [ ] Use HTTPS for all distributions
- [ ] Implement Field-Level Encryption for sensitive data
- [ ] Configure Origin Access Identity for S3 origins
- [ ] Implement Web Application Firewall protection
- [ ] Use geo-restriction for regulated content
AWS Lambda
- [ ] Apply least privilege execution roles
- [ ] Validate all event inputs
- [ ] Set appropriate memory and timeout values
- [ ] Implement VPC access for private resource access
- [ ] Use environment variables for configuration
AWS IoT
- [ ] Implement strong device authentication
- [ ] Use device certificates for identity
- [ ] Implement fine-grained permissions with IoT policies
- [ ] Enable IoT Device Defender
- [ ] Implement secure provisioning procedures
Amazon SageMaker
- [ ] Encrypt all ML data at rest
- [ ] Use VPC connectivity for training jobs
- [ ] Implement least privilege execution roles
- [ ] Monitor for data exfiltration
- [ ] Secure model endpoints with proper authentication
Comprehensive Security Testing
Vulnerability Management
- [ ] Implement regular vulnerability scanning (AWS Inspector)
- [ ] Conduct penetration testing (with AWS approval)
- [ ] Perform regular security assessments
- [ ] Validate security patching effectiveness
- [ ] Track and remediate security findings
Cloud Security Posture Management
- [ ] Use AWS Security Hub for posture management
- [ ] Implement custom security standards
- [ ] Track security scores over time
- [ ] Remediate high-priority findings
- [ ] Document exceptions with justification
Security Architecture Best Practices
Multi-Layer Security
- [ ] Implement defense in depth across all AWS services
- [ ] Use multiple security controls for critical resources
- [ ] Segment environments using accounts and VPCs
- [ ] Implement secure boundaries between environments
- [ ] Document security architecture and controls
Zero Trust Architecture
- [ ] Implement identity-based access control
- [ ] Verify all access attempts regardless of source
- [ ] Use fine-grained permissions for all resources
- [ ] Implement continuous validation and monitoring
- [ ] Document trust boundaries and verification points
AWS Security Services Quick Reference
| Security Domain | Primary Services | Secondary Services |
|---|---|---|
| Identity & Access | IAM, AWS SSO, Cognito | Directory Service, IAM Identity Center |
| Network Security | Security Groups, NACLs, WAF | Shield, Network Firewall, Firewall Manager |
| Data Protection | KMS, CloudHSM, ACM | Macie, Certificate Manager |
| Threat Detection | GuardDuty, Detective | Security Hub, Inspector |
| Compliance | Audit Manager, Config | Artifact, Systems Manager |
| Infrastructure Protection | Shield, Firewall Manager | Systems Manager, Inspector |
| Logging & Monitoring | CloudTrail, CloudWatch | EventBridge, Security Hub |
| Automated Response | Lambda, EventBridge | Systems Manager, Step Functions |
Resource Links & References
AWS Security Documentation
- AWS Security Documentation
- AWS Security Best Practices
- AWS Cloud Security
- AWS Compliance
- AWS Security Blog
Security Frameworks
- AWS Well-Architected Framework – Security Pillar
- Cloud Security Alliance (CSA) Controls
- NIST Cybersecurity Framework
- CIS AWS Foundations Benchmark
- AWS Security Maturity Model