AWS Security Cheat Sheet: Comprehensive Guide to Securing Your Cloud Infrastructure

Introduction

AWS Security is a collection of services, tools, and best practices designed to protect your data, workloads, and infrastructure in the AWS Cloud. Security in AWS follows the shared responsibility model, where AWS secures the infrastructure that runs all services, and you are responsible for securing your data and resources built on top of AWS.

Core Security Services

Identity and Access Management (IAM)

Data Protection

Network Security

Detection & Monitoring

IAM Best Practices

User Management

• Use IAM Identity Center (AWS SSO) instead of IAM users when possible
• Implement MFA for all users, especially the root account
• Create individual IAM users instead of sharing credentials
• Rotate credentials regularly
• Remove unused credentials

Permission Management

• Follow principle of least privilege
• Use groups to assign permissions to IAM users
• Use IAM roles for applications and services
• Do not share access keys
• Use permission boundaries for delegation

IAM Policy Types

Example IAM Policy (Least Privilege for S3)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}

VPC Security

VPC Security Components

• Security Groups: Stateful, allow-only, instance-level firewall
• Network ACLs: Stateless, allow/deny rules, subnet-level firewall
• Flow Logs: Capture network traffic information
• VPC Endpoints: Private connections to AWS services
• Transit Gateway: Network transit hub for connecting VPCs and on-premises networks

Security Group vs NACL

VPC Security Best Practices

• Use private subnets for resources that don’t need internet access
• Use a bastion host or AWS Systems Manager Session Manager for secure access
• Implement VPC flow logs for network monitoring
• Use VPC endpoints to access AWS services privately
• Implement network segmentation with multiple subnets

Data Protection

Encryption Options

AWS KMS Key Types

Data Protection Best Practices

• Encrypt data at rest and in transit
• Use AWS KMS for key management
• Implement S3 bucket policies and ACLs
• Enable versioning and MFA delete for S3
• Use AWS Backup for consistent backups
• Implement DLP (Data Loss Prevention) mechanisms
• Regularly audit access patterns

Monitoring & Detection

Essential Monitoring Stack

1. CloudTrail: Enable in all regions, log to a dedicated S3 bucket
2. Config: Enable configuration recording in all regions
3. GuardDuty: Enable threat detection in all regions
4. Security Hub: Centralize security findings
5. CloudWatch: Set up alarms for suspicious activities

CloudTrail Log Example (S3 Bucket Policy)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-cloudtrail-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::my-cloudtrail-bucket"
    }
  ]
}

Detection Best Practices

• Enable GuardDuty in all regions and accounts
• Configure Security Hub and enable AWS Foundational Security Best Practices standard
• Set up CloudWatch alarms for unusual API calls
• Monitor and alert on root account usage
• Use AWS Config to detect non-compliant resources
• Implement automated remediation with AWS Config Rules and Lambda

Incident Response

IR Framework in AWS

1. Preparation: Establish response plans, implement detective controls
2. Detection & Analysis: Use GuardDuty, Security Hub, CloudWatch
3. Containment: Isolate affected resources (security groups, IAM policies)
4. Eradication: Remove unauthorized access, malware
5. Recovery: Restore from backups, redeploy clean resources
6. Post-incident: Lessons learned, improve controls

IR Automation with AWS

• Use EventBridge to trigger automated responses
• Implement AWS Lambda functions for automated remediation
• Create incident response runbooks in Systems Manager
• Use tagging to track incident-related resources

Sample EventBridge Rule for GuardDuty Findings

{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [7, 8, 9]
  }
}

Compliance and Governance

AWS Compliance Programs

• SOC 1/2/3
• PCI DSS
• HIPAA
• FedRAMP
• GDPR
• ISO 27001/27017/27018/9001
• NIST

Compliance Tools

• AWS Artifact: Access compliance reports
• AWS Config: Assess resource compliance
• AWS Security Hub: Automate compliance checks
• AWS Audit Manager: Continuous audit evidence collection
• Service Control Policies: Enforce compliance guardrails

Example AWS Config Rule

{
  "ConfigRuleName": "s3-bucket-public-read-prohibited",
  "Description": "Checks that your S3 buckets do not allow public read access",
  "Scope": {
    "ComplianceResourceTypes": ["AWS::S3::Bucket"]
  },
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }
}

Multi-Account Security

AWS Organizations Best Practices

• Implement a multi-account strategy based on business functions
• Use AWS Control Tower for account setup and governance
• Apply SCPs to restrict capabilities within member accounts
• Centralize logging to a dedicated Security account
• Use AWS Config Aggregator for multi-account visibility

Sample SCP (Prevent Public S3 buckets)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock",
        "s3:PutAccountPublicAccessBlock"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "s3:PublicAccessBlockConfiguration": "false"
        }
      }
    }
  ]
}

Container & Serverless Security

Container Security

• Use ECR image scanning to detect vulnerabilities
• Implement least privilege task execution roles
• Use AWS Fargate for enhanced isolation
• Enable VPC mode for ECS/EKS
• Implement runtime monitoring with GuardDuty

Serverless Security

• Use IAM roles with minimal permissions for Lambda functions
• Configure Lambda in a VPC when accessing private resources
• Enable Lambda code signing
• Set appropriate Lambda timeout values
• Implement Lambda environment variable encryption

Common Security Challenges and Solutions

Security Assessment Tools

Security Automation

Infrastructure as Code (IaC) Security

• Use AWS CloudFormation Guard or cdk-nag for policy validation
• Implement CI/CD pipeline security scanning
• Use service catalog for approved templates
• Implement drift detection

Example CloudFormation Guard Rule

rule secure_s3_bucket_policy {
  when %s3_bucket !empty {
    %s3_bucket.Properties.PublicAccessBlockConfiguration exists
    %s3_bucket.Properties.PublicAccessBlockConfiguration.BlockPublicAcls == true
    %s3_bucket.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy == true
    %s3_bucket.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls == true
    %s3_bucket.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets == true
  }
}

Security Response Automation

Common Use Cases for Automation

• Remediate public resources
• Rotate compromised keys
• Isolate compromised instances
• Snapshot forensic data
• Block suspicious IP addresses

Sample Remediation Lambda Function (Python)

import boto3

def lambda_handler(event, context):
    # Parse GuardDuty finding
    finding = event['detail']
    resource_type = finding['resource']['resourceType']
    resource_id = finding['resource']['instanceDetails']['instanceId']
    
    # Isolate compromised EC2 instance
    if resource_type == 'Instance':
        ec2 = boto3.client('ec2')
        # Create isolation security group
        isolation_sg = ec2.create_security_group(
            GroupName=f'isolation-{resource_id}',
            Description='Isolation security group for compromised instance',
            VpcId=finding['resource']['instanceDetails']['networkInterfaces'][0]['vpcId']
        )
        
        # Apply isolation security group
        ec2.modify_instance_attribute(
            InstanceId=resource_id,
            Groups=[isolation_sg['GroupId']]
        )
        
        return {
            'statusCode': 200,
            'body': f'Instance {resource_id} isolated successfully'
        }

AWS Security Checklist

Day 1 Security Controls

• [ ] Enable MFA for root and all IAM users
• [ ] Create dedicated IAM users with least privilege
• [ ] Set up AWS Organizations with SCPs
• [ ] Enable CloudTrail in all regions
• [ ] Configure S3 Block Public Access at account level
• [ ] Enable GuardDuty in all regions
• [ ] Set up Security Hub
• [ ] Configure AWS Config

Weekly Security Tasks

• [ ] Review GuardDuty findings
• [ ] Check Security Hub compliance status
• [ ] Review CloudTrail for unusual activity
• [ ] Rotate keys and credentials
• [ ] Update AMIs and containers

Monthly Security Tasks

• [ ] Run penetration tests (with AWS approval)
• [ ] Review IAM Access Analyzer findings
• [ ] Conduct security architecture review
• [ ] Update incident response runbooks
• [ ] Review AWS Trusted Advisor recommendations

Resources for Further Learning

• AWS Security Documentation
• AWS Security Blog
• AWS Security Reference Architecture
• AWS Well-Architected Security Pillar
• AWS Security Workshops
• AWS Security Incident Response Guide