← Back to AWS Mastery
Advanced15 min read

Security & Compliance

Secure AWS infrastructure — IAM policies, security groups, encryption, compliance frameworks, and security monitoring.

IAM Best Practices

Enable MFA on root and all privileged accounts. Use roles instead of long-term access keys. Apply least privilege with granular policies. Rotate credentials regularly. Use IAM Access Analyzer to identify overly permissive policies.

Organize accounts with AWS Organizations. Apply Service Control Policies (SCPs) to restrict what actions accounts can perform.

  • Never embed access keys in code — use IAM roles
  • Use aws sts assume-role for cross-account access
  • Enable IAM credential report for audit compliance
# Create role for EC2 to access S3
aws iam create-role \
  --role-name EC2-S3-Access \
  --assume-role-policy-document '{
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"Service": "ec2.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }]
  }'

Encryption

Encrypt data at rest with AWS KMS (Key Management Service). Encrypt data in transit with TLS/HTTPS. S3, EBS, RDS, and DynamoDB all support encryption with KMS-managed keys.

Use customer-managed KMS keys (CMK) for control over key rotation and access policies. Enable default encryption on all storage services.

# Enable default encryption on S3 bucket
aws s3api put-bucket-encryption \
  --bucket my-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms",
        "KMSMasterKeyID": "arn:aws:kms:us-east-1:123:key/abc"
      }
    }]
  }'

Security Monitoring

AWS CloudTrail logs all API calls for audit. GuardDuty detects threats using ML. Security Hub aggregates findings from multiple services. Config tracks resource configuration changes and compliance.

Enable CloudTrail in all regions with log file validation. Send trails to a dedicated S3 bucket with MFA delete protection.

# Enable GuardDuty
aws guardduty create-detector --enable

# Security Hub enables centralized findings
aws securityhub enable-security-hub

# Config rule: require encrypted volumes
aws configservice put-config-rule \
  --config-rule '{
    "ConfigRuleName": "encrypted-volumes",
    "Source": {
      "Owner": "AWS",
      "SourceIdentifier": "ENCRYPTED_VOLUMES"
    }
  }'

Compliance Frameworks

AWS complies with SOC 1/2/3, PCI DSS Level 1, HIPAA, FedRAMP, ISO 27001, and GDPR. Compliance is a shared responsibility — AWS manages infrastructure, you manage application and data configuration.

Use AWS Audit Manager for continuous compliance assessment. Artifact provides on-demand access to compliance reports.

# Shared responsibility model
# AWS responsible for:
#   - Physical security, hypervisor, network infrastructure
# Customer responsible for:
#   - IAM, encryption, security groups, patching OS/apps
#   - Data classification, network configuration

Incident Response

Prepare an incident response plan before you need it. Enable Detective for investigation. Use Systems Manager Run Command for remote remediation. Isolate compromised instances by modifying security groups.

Automate response with EventBridge rules: detect unauthorized API calls via CloudTrail, trigger Lambda to disable access keys and notify the security team.

# Isolate compromised EC2 instance
aws ec2 modify-instance-attribute \
  --instance-id i-compromised \
  --groups sg-isolation  # Security group with no inbound/outbound rules

Get In Touch

Ready to discuss your next project? Drop me a message.