Cloud Misconfiguration Guide

Enable 'Block Public Access' at the account level and on each bucket. Use bucket policies that restrict access to specific IAM principals or VPC endpoints. Audit existing buckets with AWS Trusted Advisor or S3 Storage Lens.

Restrict inbound rules to specific CIDR ranges (office VPN, VPC CIDR) or use AWS Systems Manager Session Manager for shell access instead of SSH. Implement a security group change monitoring process.

Rotate keys every 90 days. Migrate to IAM roles for EC2/Lambda/ECS workloads. Use IAM Identity Center for human access. Set up an IAM credential report schedule and automated key rotation via AWS Config rules.

Replace wildcards with specific actions. Use IAM Access Analyzer to identify overly broad policies. Implement permission boundaries and service control policies (SCPs) at the organization level.

Enable EBS encryption by default in all regions. Use AWS KMS customer-managed keys for sensitive workloads. Audit existing unencrypted volumes and create encrypted copies.

Create an organization trail covering all regions with SSE-KMS encryption and log file validation enabled. Ship logs to a dedicated S3 bucket with restricted access. Set up CloudWatch alarms for trail changes.

Set PubliclyAccessible to false. Place RDS instances in private subnets. Use a bastion host or Session Manager for administrative access. Enable RDS encryption and deletion protection.

Enable VPC flow logs on all VPCs. Publish to CloudWatch Logs or S3. Set up metric filters to alert on anomalous traffic patterns (port scans, excessive denied requests).

Design custom VPCs with properly sized CIDR blocks, public/private/database subnets across multiple AZs. Migrate resources from default VPCs. Tag custom VPCs clearly.

Scope Lambda execution roles to the minimum required actions and resources. Use resource-based policies to restrict cross-account invocation. Enable Lambda code signing and runtime version pinning.

Set endpoint access to private-only or public+private with restricted CIDR ranges. Enable control plane logging (API server, audit, authenticator). Enforce pod security standards and network policies.

Enable AWS Config in all regions. Deploy managed rules for CIS, PCI-DSS, and custom organizational requirements. Set up automatic remediation actions for common violations.

Enable automatic key rotation on all customer-managed KMS keys (rotates annually). For higher security, implement manual rotation every 90 days for highly sensitive data encryption keys.

Enable GuardDuty in all regions supported. Configure findings export to S3. Integrate with Security Hub and EventBridge for automated response to threat findings.

Use AWS Backup to create automated backup plans with cross-region copies. Define recovery point objectives (RPO) and recovery time objectives (RTO). Test restores quarterly.

Use AWS Secrets Manager or Parameter Store (SecureString) for all secrets. Implement secret rotation. Scan repositories with tools like git-secrets. Use IAM roles instead of static credentials.

Regularly audit resources with AWS Resource Explorer and Trusted Advisor. Tag all resources with owner and project. Implement automated cleanup for non-production resources.

Redirect HTTP to HTTPS. Use the latest TLS security policy. Enable SNI. Configure Origin Shield for additional caching layer. Set minimum SSL protocol to TLSv1.2.

Add sts:ExternalId condition to all cross-account trust policies. Use unique, unguessable external IDs. Audit cross-account roles regularly.

Apply SCPs that deny disabling CloudTrail, Config, GuardDuty, and Security Hub. Restrict root user actions. Prevent leaving the organization without approval. Start with allow-list approach for new accounts.

Enable encryption with KMS. Place clusters in private subnets. Enable audit logging and require SSL connections. Rotate database credentials with Secrets Manager.

Lock away root credentials. Enable MFA on root. Create IAM users with admin permissions for daily tasks. Set up CloudWatch alarms for any root activity. Follow the security best practice of zero standing root usage.

Deploy AWS WAF with managed rules (AWS Core, SQL injection, XSS). Enable rate-based rules for DDoS protection. Configure logging to S3 or CloudWatch. Review and update rules monthly.

Design multi-tier VPC architecture: public subnets for load balancers, private for application, isolated for databases. Use security groups as micro-segmentation. Implement VPC endpoints for AWS service access.

Set up EventBridge rules to trigger Lambda functions for automated response (e.g., isolate compromised instance, revoke exposed keys, snapshot forensic evidence). Integrate with PagerDuty or Slack for alerts. Document and test runbooks.