AWS Security Best Practices Checklist - Cloudelligent
The subjects are generally the same as for on-premises infrastructure, but require a specific analysis linked to the technical and organizational particularities of the Cloud, and also to the power of the tools offered by AWS.
Based on a shared responsibility model, AWS supports the security of the lower layers and infrastructure and provides its customers with the tools to secure their applications and data. It is therefore up to each company using the AWS cloud to optimize the security of its platform and applications.
To do this, different resources offered by AWS must be implemented according to the needs

and constraints of each.





Follow these best practices to protect your cloud data:



The first principle to ensure greater security is the scope of action: it is essential to secure the environment of all layers and to ensure that this is the case in-depth with different security controls (for example, network peripherals, VPC, subnet, load balancer, each instance, operating system, and applications). The most common mistake would be to focus exclusively on the outermost layer.
All AWS services implement their security mechanisms, based on a common structure and tools (IAM policies in particular).
The creation of these secure architectures, including the implementation of security, can and should be managed as code is versioned and controlled models. This makes it possible to guarantee the traceability of changes and to facilitate any possible rollbacks.


It is important to regularly audit the configuration of your AWS resources. This allows you to monitor and control the parameters that are under your responsibility (see introduction). It is, therefore, necessary to check that you have the correct configurations of services and applications with your wishes and your internal compliance directives.
Given the wide number of states and parameters to overlook, it is strongly recommended to automate the verification of compliance with security “good practices”: these automated security audits improve your ability to evolve safely, more quickly and inexpensively. You are then able to identify the source of the security breach and correct it quickly.
Prepare for security incidents and breaches: for example by having an incident management process with different scenarios according to their criticality corresponding to the requirements of your organization. Run incident response simulations and use tools to increase your speed of detection, investigation, and recovery.

Also, the AWS Config tool allows you to record and evaluate the configurations of your resources and their developments. It is also possible to set up continuous monitoring and automatic evaluation. This service provides a history of modifications, a security analysis as well as a diagnosis of operational failures.



The error is human and, therefore, it is recommended to limit access to the data as much as possible. It is important to develop mechanisms and tools to eliminate the need for direct access or manual data processing. This greatly turns down the risk of loss or modification and human error when processing sensitive data.

Depending on the uses, it is appropriate for your company to activate different AWS accounts, or different Virtual Private Clouds to partition the data. This partitioning makes it possible to define new configurations, such as different connectivity options depending on the sections concerned. Also, this segmentation makes it possible to set up various security levels depending on the confidentiality and sensitivity of the data involved.

Each Virtual Private Cloud (VPC) can be configured according to your wishes: including public or private subnets, with or without internet access, with the determination of security layers, etc.

These VPCs can be easily connected robustly and securely with networks or on-premise data centers.

Using multiple AWS accounts is also a way to improve security, by giving specific rights to administrators in each account, and for example by ensuring that traces cannot be accessed and mostly purged only by a very small number of people.


AWS allows you to set up strict and robust rules concerning identity management:

>Apply the principle of minimum and sufficient rights,
>Enforce separation of task completion with the appropriate authorization for each interaction with your AWS resources,
>Centralize authorization management,
>Reduce and, if possible, eliminate dependence on long-term credentials.

When deploying an architecture on AWS, your organization should seek to optimize data security by controlling access. Different rights are to be provided according to several categories of users. Not all have the same needs, so they should not have the same access to infrastructure.

“AWS Identity and Access Management (IAM) Practices” provides best practices for setting up and operating IAM provided by AWS, and the “AWS Security Checklist” describes items required to ensure the security of AWS resources. Some people only need read permissions. Others must be able to deploy virtual machines or access advanced functionality.

Applications also need to have the right to access the data. IAM also makes it possible to delegate authentication to a company directory to consolidate the management of authorizations, and mechanically limit the risks of inconsistency and error.

Also, AWS Cognito enables users of mobile applications to be managed industrially. And AWS also offers a managed implementation of industry-standard directories.

With a migration to the AWS cloud, it is possible to grant identities according to each user or application to maintain a maximum level of security.



It is essential to protect data in transit and at rest: after having classified your data according to their confidentiality, it is necessary to implement mechanisms such as encryption, tokenization and access control, if necessary.
To optimize data security in the AWS cloud, it is imperative to set up key management per requirements or regulations. Good practices include, in particular, determining the rotation of keys, restricting users who have access to them and monitoring their use.The AWS Key Management Service (KMS) is used to create and manage keys. It is fully managed, allowing you to attach yourself to the encryption of your stored data. You can easily rotate them automatically, import them from your infrastructure, determine the conditions of use or even monitor their activity. In no case can the keys be retrieved in the simple text to guarantee total security. They can be temporarily deactivated or deleted as required.Subsequently, these keys are used to encrypt the data of 52 AWS services, among which we find data from servers and managed databases.


Activate traceability: monitor, alert and audit actions and changes made to your environment in real-time. Integrate metrics into systems to respond and take action automatically.

To protect your AWS cloud, it’s important to track user activity and application usage. Risk management and compliance guarantees are central missions for your entire network. It is necessary to be able to detect threats to the security of your infrastructure by identifying vulnerabilities.

AWS CloudTrail is the service for continuous monitoring of actions carried out on your infrastructure. It presents a history of events in your AWS account, which will simplify compliance audits. All activity is recorded to identify problems in the change history. With Amazon Cloud Watch Events, detecting vulnerabilities is made easier with the help of workflows.



Threat detection is a preventive approach that enables the rapid reaction to external hostile actions and the implementation of countermeasures that make actions ineffective.

This detection must cover the technical perimeter and also the applications which are also concerned by the exposure of faults.

AWS offers 5 services allowing to set up prevention mechanisms, the common point of which is to require an extremely reduced implementation time. This was made possible in particular by the implementation of the machine learning algorithm coupled with a watch flow to identify the signatures of infrastructure attacks (AWS Guard Duty) or applications (AWS Inspector), or for the identification of objects containing data subject to specific regulations (AWS Macie). Also, AWS WAF allows you to restrict access to applications by applying specific filtering and AWS Shield protects against DDOS attacks.

Finally, Security is a complex subject and should not be taken lightly, it is often necessary to be accompanied by structures of which this is the profession and the area of ​​expertise.