Security

The AWS Security Best Practices Checklist (2026)

CT CloudMonitor Team · May 27, 2026 · 12 min read

The overwhelming majority of cloud incidents come from a small set of misconfigurations, not exotic zero-days. This checklist covers the ones that actually cause breaches, in rough priority order, mapped to the spirit of the CIS AWS Foundations Benchmark.

Identity & access (fix first)

  • Enforce MFA on the root account and all IAM users.
  • Stop using the root account for daily work; lock away its access keys.
  • Apply least-privilege IAM policies; remove wildcard * permissions where you can.
  • Rotate or delete access keys that are unused or older than 90 days.
  • Prefer IAM roles over long-lived access keys for workloads.

Data exposure

  • Enable S3 Block Public Access at the account level; audit any bucket that overrides it.
  • Ensure no security group allows 0.0.0.0/0 to sensitive ports (22, 3389, database ports).
  • Confirm databases and internal services are not internet-facing.

Encryption

  • Encrypt EBS volumes, RDS instances and S3 buckets at rest.
  • Enforce TLS in transit for public endpoints.

Logging & detection

  • Enable CloudTrail in all regions, with log file validation on.
  • Turn on GuardDuty and route findings somewhere a human will see them.
  • Enable Config to track resource configuration drift over time.

From checklist to continuous posture

A checklist is a point-in-time snapshot; cloud accounts drift the moment engineers ship. The durable fix is a continuously-scored posture that flags a regression the instant it lands. CloudMonitor grades your accounts against these practices, produces a single compliance score, and ranks findings by severity with exact remediation — right next to the cost work, in one worklist.


See this in your own cloud
CloudMonitor finds and ranks exactly what this guide describes — automatically.
Start free

Ready to see your whole cloud?

Spin up a workspace and connect your first account in minutes.

Get started free

No credit card · Read-only · Cancel anytime

See your entire cloud, clearly
Free to start · live in minutes
Start free