AWS Security Controls and Best Practices

AWS security controls span identity governance, network segmentation, data protection, threat detection, and compliance automation across a shared infrastructure model that serves organizations ranging from early-stage startups to federal agencies operating under FedRAMP authorization. This page maps the structure of AWS-native security capabilities, the regulatory frameworks that govern their deployment, the classification boundaries between control types, and the operational tradeoffs practitioners encounter when designing compliant cloud environments.

Definition and scope

AWS security controls are the configuration states, service features, policy constructs, and automated enforcement mechanisms that restrict, monitor, and audit access to resources running within the Amazon Web Services environment. The scope extends across compute, storage, networking, identity, and application layers and is bounded by the shared responsibility model, under which AWS secures the underlying physical infrastructure while the customer is accountable for operating system hardening, identity configuration, data classification, and application-layer controls.

The AWS Well-Architected Framework, published by Amazon Web Services, defines the Security Pillar as one of six pillars and organizes controls into seven design principles: implementing a strong identity foundation, enabling traceability, applying security at all layers, automating security best practices, protecting data in transit and at rest, keeping people away from data, and preparing for security events. These principles correspond directly to control categories recognized in NIST SP 800-53 Rev 5 and the CIS AWS Foundations Benchmark, the two most widely referenced external control frameworks for AWS deployments.

Cloud security compliance frameworks applied to AWS environments include FedRAMP (mandatory for federal agencies), HIPAA (for covered healthcare entities), PCI DSS (for payment card data), and SOC 2 Type II (for service organizations). Each framework maps to specific AWS services and configuration requirements.

Core mechanics or structure

AWS security controls operate through five distinct functional layers that compose an end-to-end defense architecture.

Identity and Access Management (IAM). AWS IAM governs authentication and authorization for all AWS API calls. Controls include IAM policies (identity-based and resource-based), permission boundaries, Service Control Policies (SCPs) applied at the AWS Organizations level, and IAM roles for service-to-service access. IAM Access Analyzer, a native service, identifies resource policies that grant external access. The cloud identity and access management discipline covers the broader IAM architecture pattern in detail.

Network Controls. Virtual Private Cloud (VPC) constructs enforce network segmentation. Security Groups act as stateful instance-level firewalls. Network ACLs (NACLs) provide stateless subnet-level filtering. AWS Network Firewall enables deep packet inspection. VPC Flow Logs capture IP traffic metadata. AWS PrivateLink allows private connectivity to AWS services without traversing the public internet.

Data Protection. AWS Key Management Service (KMS) manages symmetric and asymmetric encryption keys with FIPS 140-2 validated hardware security modules (HSMs). AWS CloudHSM provides dedicated single-tenant HSM capacity. S3 Block Public Access, S3 Object Lock, and server-side encryption settings enforce data-at-rest protections. TLS enforcement is configurable at load balancer and API Gateway levels. The cloud data encryption reference covers key hierarchy design in depth.

Detection and Monitoring. AWS CloudTrail records API activity across all regions. AWS Config tracks resource configuration state and evaluates conformance rules. Amazon GuardDuty applies machine learning to CloudTrail, VPC Flow Logs, and DNS logs to detect threats including credential exfiltration and cryptocurrency mining. AWS Security Hub aggregates findings across GuardDuty, Inspector, Macie, and third-party sources against the AWS Foundational Security Best Practices standard.

Automation and Remediation. AWS Config Rules, AWS Systems Manager Automation, and AWS Lambda functions enable automated remediation of non-compliant resource states. AWS Control Tower provides guardrails — preventive (using SCPs) and detective (using Config Rules) — for multi-account environments.

Causal relationships or drivers

The density of AWS security control adoption is driven by three primary factors: regulatory mandate, breach economics, and platform complexity growth.

Regulatory mandates impose specific configuration requirements. FedRAMP High authorization, administered by the General Services Administration (GSA), requires 421 controls mapped to NIST SP 800-53 Rev 5. FedRAMP requirements that apply to AWS GovCloud workloads include specific encryption, audit logging, and incident response configurations. HIPAA's Security Rule (45 CFR Part 164), enforced by the HHS Office for Civil Rights, requires access controls, audit controls, and transmission security — all of which map to IAM, CloudTrail, and TLS configurations in AWS.

Breach economics influence control investment. The average per-record cost of a healthcare data breach reached $10.93 million in 2023 (IBM Cost of a Data Breach Report 2023), creating financial pressure to implement preventive controls rather than rely solely on incident response.

Platform complexity growth — AWS offers over 200 services — increases attack surface. Cloud misconfiguration risks represent the leading cause of cloud-native breaches, according to the Cloud Security Alliance. Each new service introduction (such as Amazon Bedrock for generative AI) introduces new IAM permission surfaces and data flow patterns requiring control review.

Classification boundaries

AWS security controls classify into four operational categories aligned with NIST SP 800-53 control families:

Preventive controls block actions before they occur. Examples: SCPs that deny creation of public S3 buckets, IAM permission boundaries, AWS WAF rules blocking known-malicious IP ranges, and VPC security group rules.

Detective controls identify events or conditions after they occur. Examples: CloudTrail, GuardDuty findings, Config Rules flagging non-compliant resources, and Amazon Macie identifying sensitive data in S3.

Corrective controls restore a secure state after a violation. Examples: Lambda-triggered remediation functions, Systems Manager automation runbooks, and automated snapshot restoration. Cloud security incident response frameworks define when corrective controls activate.

Compensating controls substitute for primary controls when architectural constraints prevent direct implementation. AWS documentation and the PCI DSS council both recognize compensating controls in formal assessments, though they require documented risk acceptance.

A second classification dimension distinguishes account-level controls (applied through AWS Organizations, Control Tower guardrails, and IAM account settings) from resource-level controls (applied through resource-based policies, bucket policies, KMS key policies, and security groups). Governance architectures typically deploy both layers.

Tradeoffs and tensions

Least privilege versus operational velocity. Strict IAM least privilege reduces blast radius but increases policy management overhead. Wildcard permissions accelerate development but create overpermissioned identities. The cloud privileged access management domain addresses just-in-time access models that partially resolve this tension.

Encryption key control versus key availability. Customer-managed KMS keys (CMKs) provide full control over key lifecycle and access but introduce availability risk if key policies are misconfigured or CMKs are accidentally deleted. AWS-managed keys offer higher availability with less granular control.

Centralized logging versus data residency. Aggregating CloudTrail logs to a central security account improves tamper resistance but may conflict with data residency requirements in regulated industries operating in specific AWS regions.

Guardrail coverage versus service adoption. Aggressive preventive SCPs at the AWS Organizations level can block legitimate service usage, creating shadow IT pressure where teams circumvent governance to meet delivery timelines. Control Tower's guardrail model distinguishes mandatory from elective guardrails specifically to manage this tension.

Automated remediation versus change management. Auto-remediation of non-compliant Config Rules improves security posture but can trigger unplanned configuration changes that break application dependencies. Mature governance programs stage automated remediation through change advisory processes.

Common misconceptions

Misconception: AWS manages security of all resources by default. The shared responsibility model explicitly allocates customer responsibility for identity configuration, OS patching on EC2 instances, application security, and data classification. AWS secures hardware, hypervisor, and managed service infrastructure.

Misconception: Enabling CloudTrail alone satisfies audit logging requirements. CloudTrail records API calls but does not capture application-layer events, OS-level activity on EC2 instances, or database query logs. Comprehensive audit coverage requires CloudWatch Logs, VPC Flow Logs, RDS audit logs, and application logging independently configured.

Misconception: S3 Block Public Access eliminates all data exposure risk. Block Public Access prevents public ACL and policy configurations but does not prevent overly permissive IAM policies that grant cross-account or federated identity access to bucket contents.

Misconception: Multi-factor authentication (MFA) on the root account is sufficient account hardening. AWS security best practices as documented in the CIS AWS Foundations Benchmark v3.0 specify MFA for all IAM users with console access, hardware MFA for root, and root account credential non-use — four distinct requirements, not one.

Misconception: FedRAMP authorization of an AWS region authorizes the customer's application. AWS holds FedRAMP authorizations for specific services (documented in the FedRAMP Marketplace). Customer applications must obtain their own Authority to Operate (ATO) based on the customer-controlled portions of the control set.

Checklist or steps

The following sequence reflects the control implementation order recommended by the AWS Security Hub Foundational Security Best Practices standard and the CIS AWS Foundations Benchmark:

  1. Root account hardening — Enable hardware MFA on root; create no access keys for root; disable root account routine use.
  2. AWS Organizations and Control Tower deployment — Establish a multi-account structure with dedicated security, logging, and audit accounts.
  3. IAM baseline — Enforce MFA for all console-access IAM users; apply password policy meeting 14-character minimum length; eliminate unused credentials older than 90 days.
  4. CloudTrail activation — Enable CloudTrail in all regions with log file validation; deliver logs to a centralized S3 bucket with MFA Delete enabled and versioning active.
  5. AWS Config activation — Enable AWS Config in all regions; deploy AWS Foundational Security Best Practices conformance pack.
  6. GuardDuty activation — Enable GuardDuty across all accounts in the organization; configure SNS notification for high-severity findings.
  7. Security Hub activation — Enable Security Hub; subscribe to CIS AWS Foundations Benchmark standard and AWS Foundational Security Best Practices standard.
  8. Network baseline — Remove default VPC or restrict default security group to zero inbound/outbound rules; enable VPC Flow Logs.
  9. S3 hardening — Enable S3 Block Public Access at account level; enable server-side encryption with KMS for all buckets containing sensitive data; enable access logging.
  10. KMS key policy review — Audit all CMK key policies for overly permissive principal lists; rotate symmetric keys annually per NIST SP 800-57 Part 1 recommendations.
  11. IAM Access Analyzer — Enable IAM Access Analyzer in every region to identify externally accessible resources.
  12. Incident response runbook — Document AWS-specific IR procedures referencing CloudTrail query patterns, GuardDuty finding types, and isolation playbooks aligned with cloud security incident response standards.

Reference table or matrix

Control Domain Primary AWS Service(s) Relevant Framework Control Category
Identity & Access IAM, AWS Organizations, IAM Identity Center NIST SP 800-53 AC, IA families; CIS Section 1 Preventive
Privileged Access AWS IAM, AWS CloudShell, IAM Roles Anywhere NIST SP 800-53 AC-6; CIS Section 1.16–1.20 Preventive
Network Segmentation VPC, Security Groups, NACLs, Network Firewall NIST SP 800-53 SC family; CIS Section 5 Preventive
Audit Logging CloudTrail, CloudWatch Logs, VPC Flow Logs NIST SP 800-53 AU family; CIS Section 3 Detective
Configuration Management AWS Config, Control Tower NIST SP 800-53 CM family; CIS Section 3 Detective
Threat Detection GuardDuty, Amazon Macie, Inspector v2 NIST SP 800-53 SI family; CIS Section 4 Detective
Data Encryption at Rest KMS, CloudHSM, S3 SSE NIST SP 800-53 SC-28; FIPS 140-2 Preventive
Data Encryption in Transit ACM, ALB TLS policies, API Gateway NIST SP 800-53 SC-8; PCI DSS Req. 4 Preventive
Vulnerability Management Inspector v2, Systems Manager Patch Manager NIST SP 800-53 RA family Detective / Corrective
Incident Response CloudTrail Lake, Security Hub, Lambda automation NIST SP 800-61 Rev 2; FedRAMP IR controls Corrective
Compliance Reporting Security Hub, AWS Audit Manager FedRAMP, HIPAA, PCI DSS, SOC 2 Detective
Key Management AWS KMS, CloudHSM NIST SP 800-57; FedRAMP SC-12 Preventive

References

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator