Visibility: Use a cloud security solution that provides visibility into the volume and types of resources (virtual machines, load balancers, security groups, users, etc.) across multiple cloud accounts and regions in a single pane of glass. Having visibility and an understanding of your environment enables you to implement more granular policies and reduce risk.
Exposed root accounts: Root accounts must be protected by multi-factor authentication and used sparingly. Not even your top admins should have access to your AWS root account the vast majority of the time, and never share them across users and applications.
IAM access keys: Rotate or change your access keys at least once every 90 days. If you have given the users the necessary permissions, then they can rotate their own access keys. Plus, it ensures that old keys aren’t being used to access critical services.
Authentication practices: SM8 Password policy and multi-factor authentication (MFA) should be enforced in AWS environments. Enabling MFA for all accounts that have console passwords.
Access privileges: Configuration of IAM, like any user permission system, should comply with the principle of “least privilege.” That means any user or group should only have the permissions required to perform their job, and no more.
Broad IP ranges for security groups and unrestricted outbound traffic: Limit the IP ranges you assign to each security group in such a way that everything networks properly, but you aren’t leaving a lot more open than you’ll need.
Audit history: AWS CloudTrail is a web service that provides event history of our AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It must be used. Enabling CloudTrail simplifies security analysis, resource change tracking, and troubleshooting.
Unpatched hosts: Make sure hosts are frequently patched and apply any necessary hotfixes that are released by your OEM vendors. To do so, you need third-party tools that can map the data from your host vulnerability feeds, such as Amazon Inspector, to gain cloud-specific context
