The overwhelming majority of cloud incidents come from a small set of misconfigurations, not exotic zero-days. This checklist covers the ones that actually cause breaches, in rough priority order, mapped to the spirit of the CIS AWS Foundations Benchmark.
Identity & access (fix first)
- Enforce MFA on the root account and all IAM users.
- Stop using the root account for daily work; lock away its access keys.
- Apply least-privilege IAM policies; remove wildcard
*permissions where you can. - Rotate or delete access keys that are unused or older than 90 days.
- Prefer IAM roles over long-lived access keys for workloads.
Data exposure
- Enable S3 Block Public Access at the account level; audit any bucket that overrides it.
- Ensure no security group allows
0.0.0.0/0to sensitive ports (22, 3389, database ports). - Confirm databases and internal services are not internet-facing.
Encryption
- Encrypt EBS volumes, RDS instances and S3 buckets at rest.
- Enforce TLS in transit for public endpoints.
Logging & detection
- Enable CloudTrail in all regions, with log file validation on.
- Turn on GuardDuty and route findings somewhere a human will see them.
- Enable Config to track resource configuration drift over time.
From checklist to continuous posture
A checklist is a point-in-time snapshot; cloud accounts drift the moment engineers ship. The durable fix is a continuously-scored posture that flags a regression the instant it lands. CloudMonitor grades your accounts against these practices, produces a single compliance score, and ranks findings by severity with exact remediation — right next to the cost work, in one worklist.
See this in your own cloud
CloudMonitor finds and ranks exactly what this guide describes — automatically.