Security Best Practices Checklist

In August 2019, CapitalOne suffered a security breach that exposed more than 100 million credit card applications and bank account numbers. The attacker was a former employee, who took undue advantage of access to the company’s AWS accounts. If such a devastating attack can come as a result of an internal user breach, imagine the consequences of an external attack. 

While the CapitalOne breach is somewhat of a worst case scenario, even a few hours of downtime, data losses, poor user management, privacy ignorance or minor threats invite adverse risks, which can be costly. AWS’s shared responsibility model clearly indicates that certain aspects of AWS security fall in your hands; and you become solely responsible. To begin with, you must make yourself familiar with the AWS security model and utilize the features they’ve built out for you. 

AWS has elucidated on innumerable security best practices, which can be difficult to track and prioritize. So we’ve made it easier, and developed a checklist of the most high priority best practices, that you must follow to proactively prevent threats.


  • Avoid using AWS root account user access keys as it gives full access to all resources
  • MFA authentication is enabled for the root account to provide two-factor authentication
  • Assign individual IAM users with necessary permissions to enable login
  • Ensure User Accounts also have MFA authentication
  • IAM Access Keys must be rotated at periodic intervals 
  • Ensure a strong password policy for users
  • Assign permissions to users based on User Groups, instead of individual IAM users
  • Provide access to a resource through IAM Roles 
  • Grant least access while creating IAM Policies, needed to perform the necessary actions
  • Attach IAM Policies to Groups or Roles on creation
  • If required, conditions can be defined for Policies under which access is granted to a resource
  • Get rid of unnecessary IAM credentials, those with are inactive or unused 
  • Use IAM Roles to grant access to applications on EC2 Instances


  • Ensure S3 buckets are not publicly accessible (public read or write permissions) - users can enable ‘Amazon S3 block public access’ 
  • Make use of object-level or bucket-level permissions in addition to IAM Policies to grant access to resources  
  • Enable MFA Delete to prevent accidental deletion of buckets
  • Consider encryption of stored data, which can be done in two ways -- server-side and client-side encryption
  • Enable encryption of inbound and outbound data traffic, through SSL endpoints  
  • Configure S3 lifecycle management through rule-based actions and use versioning to store and retrieve multiple versions of an object in a bucket, to deal with accidental deletions
  • Ensure S3 access logging is enabled 
  • Constantly audit and monitor S3 buckets using CloudWatch metrics


  • Ensure data and disk volumes in EBS are encrypted with AES-256, the industry standard algorithm
  • Restrict access to instances from limited IP ranges using Security Groups
  • Limit the range of open ports on EC2 security groups, to prevent exposure to vulnerabilities 
  • Ensure ELBs have a valid security group attached to it
  • Monitor and optimize default security groups, as they allow unrestricted access for inbound and outbound traffic 
  • Ensure restricted inbound access to SSH, FTP, SMTP, MySQL, PostgreSQL, MongoDB, MSSQL, CIFS, etc; to required entities only
  • Use IAM roles to grant access to EC2, instead of access keys for temporary requirements
  • If you’re using IAM user access keys for long term permissions, ensure that you don’t embed the keys directly into code, generate different keys for different applications, rotate your access keys, use MFA authentication and decommission unused key pairs.    
  • Enable and activate your VPC flow logs to record inbound and outbound traffic in your VPC for better monitoring and early diagnosis 
  • Delete unused Virtual Private Gateways and VPC Internet Gateways
  • Make sure that no VPC endpoints are exposed, by checking the principal value in the policy 
  • Ensure no ACLs allow unrestricted inbound or outbound access 


  • Ensure CloudTrail is activated across all regions, and for global services like IAM, STS, etc
  • It is recommended to log to a centralized S3 bucket
  • Make sure both CloudTrail itself and CloudTrail logging are enabled for all regions 
  • Ensure CloudTrail log file integrity validation is enabled 
  • Ensure CloudTrail log files are encrypted 


  • Ensure RDS security groups do not allow unrestricted access 
  • Ensure encryption of the RDS instances and snapshots, using AES-256 level encryption
  • Protect data in transit to RDS through SSL endpoints
  • Monitor control to RDS using AWS KMS and Customer Managed Keys
  • Configure AWS Secrets Manager to automatically rotate the secrets for Amazon RDS
  • Ensure RDS database instances and snapshots are not publicly accessible
  • Enable the auto minor upgrade feature for RDS


  • Enable require_ssl parameter in all Redshift clusters to minimize risk for encryption of data in transit for Redshift, and to connect your SQL client with your cluster
  • Enable Redshift Cluster encryption
  • Ensure Redshift user activity logging is enabled
  • Ensure Redshift encryption with KMS Customer Managed Keys 
  • It is recommended that Redshift clusters are launched within a VPC for better control 
  • Ensure that the Redshift clusters are not publicly accessible

The foremost requirement when it comes to ensuring a secure infrastructure is complete visibility. In simple terms, how can you take preventive action if you don’t even know what’s wrong? Use this checklist to make sure you are doing what it takes to keep your infrastructure risk-free; or you can let us automate it for you. If you want to receive detailed ‘Security Insights’ for your cloud with minimal effort, and go a step further to auto-remediate any risks, sign up for a free trial!

Security Best Practices Checklist

Smart Scheduling at your fingertips

Go from simple to smart, real-time AWS resource scheduling to save cost and increase team productivity.

Learn More
More Posts

You Might Also Like

DevOps World
Effective Transition to Remote Working for DevOps
The COVID-19 pandemic has changed the work culture among DevOps, take advantage of these proven strategies to maintain productivity. Everything from cloud migration to automation tools and work culture is addressed to keep you going strong.
April 6, 2020
Cloud Parking
Our automated Cloud Parking offers more scalability and flexibility than the standard AWS Instance Scheduler, guaranteeing you reasonable billing of your Cloud Architecture.
March 24, 2020
AWS Tips & Tricks
The Proven Practices for Successful AWS Cost Optimization
Running your AWS cloud architecture can be expensive, you need to adopt strategies that tried and tested to bring down your expenses. Here are the best AWS cost optimization strategies available currently.
March 4, 2020
AWS Tips & Tricks
AWS Cost Optimization Checklist
Want to cut down on the costs of maintaining your cloud services? Here's a list of things you need to make sure when running your AWS architecture.
March 2, 2020
AWS Tips & Tricks
How to Schedule RDS Instances with an AWS Lambda function?
Save your costs with scheduled operation of your database. Start and stop the RDS instances manually with python Lambda functions.
February 25, 2020
Introducing the TotalCloud Smart Scheduler
Announcing the launch of the TotalCloud Resource Scheduler! Take complete advantage of AWS's 'pay for what you consume' model by putting a power control for every AWS resource that you use.
January 14, 2020