SecurityIAMGuardDutyCloudTrailAWS

AWS Security Baseline Every Account Needs in 2025

MakFam Solutions 4 min read

AWS Security Baseline Every Account Needs in 2025

Most AWS security breaches follow the same pattern: compromised credentials, over-permissive roles, and no detection. This checklist covers the baseline every account needs — regardless of size.

Account-Level Controls

Enable MFA on Root Account

The root account can do anything. If it’s compromised, you’re done. Enable MFA immediately and never use it for day-to-day operations.

# Verify MFA is enabled
aws iam get-account-summary | grep "MFAEnabled"

Create an Account Alias

aws iam create-account-alias --account-alias your-company-name

Prevents accidentally operating in the wrong account.

Enable AWS Security Hub

Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools into a single dashboard.

aws securityhub enable-security-hub \
  --enable-default-standards

The “AWS Foundational Security Best Practices” standard runs 200+ automated checks.

IAM Hardening

Delete or Disable Root Access Keys

Root access keys are a critical risk — they bypass all IAM policies. If they exist, delete them.

aws iam list-access-keys --user-name root
# Delete any keys found

Enforce IAM Password Policy

aws iam update-account-password-policy \
  --minimum-password-length 16 \
  --require-symbols \
  --require-numbers \
  --require-uppercase-characters \
  --require-lowercase-characters \
  --max-password-age 90 \
  --password-reuse-prevention 12

Apply Least Privilege to All Roles

The single most common cause of breaches: over-permissive IAM roles.

Audit your roles:

# Find roles with AdministratorAccess
aws iam list-roles | jq '.Roles[].RoleName' -r | while read role; do
  aws iam list-attached-role-policies --role-name "$role" | \
    grep -q AdministratorAccess && echo "$role has AdministratorAccess"
done

Use IAM Access Analyzer to identify unused permissions in existing roles.

Use Service Control Policies (SCPs)

If you have AWS Organizations, SCPs are your last line of defense. Even admins can’t override them.

Essential SCPs to implement:

  • Deny all actions in regions you don’t use
  • Deny root account usage
  • Require MFA for sensitive actions
  • Prevent disabling CloudTrail

Logging and Monitoring

Enable CloudTrail in All Regions

aws cloudtrail create-trail \
  --name management-events \
  --s3-bucket-name your-cloudtrail-bucket \
  --is-multi-region-trail \
  --enable-log-file-validation

aws cloudtrail start-logging --name management-events

--is-multi-region-trail is critical — attackers often operate in regions you’re not using.

Enable GuardDuty

GuardDuty uses ML to detect: crypto mining, exfiltration, credential compromise, and unusual API calls. At $1-3/month for most accounts, it’s the best security ROI in AWS.

aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES

Set up SNS notifications for findings above Medium severity:

aws guardduty create-publishing-destination \
  --detector-id <DETECTOR_ID> \
  --destination-type SNS \
  --destination-properties DestinationArn=<SNS_TOPIC_ARN>

CloudWatch Alarms for Security Events

Essential alarms to create:

alarms = [
    "Root account usage",
    "IAM policy changes",
    "CloudTrail configuration changes",
    "Console login without MFA",
    "Authorization failures (threshold: 10/5min)",
    "Security group changes",
]

These cost cents per month and catch the most common attack patterns.

Network Security

VPC Design Principles

  • Never put application servers in a public subnet
  • Use NAT Gateway for outbound internet from private subnets
  • Enable VPC Flow Logs (start with REJECT to find blocked traffic)
aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-xxxxxxxx \
  --traffic-type REJECT \
  --log-destination-type cloud-watch-logs \
  --log-group-name vpc-flow-logs

Security Group Audit

The most common finding: 0.0.0.0/0 on port 22 (SSH) or port 3306 (MySQL).

# Find security groups with 0.0.0.0/0 ingress
aws ec2 describe-security-groups \
  --filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
  --query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]'

If you need SSH access, use SSM Session Manager instead — no open ports required.

Data Protection

Enable Default Encryption on S3

aws s3api put-bucket-encryption \
  --bucket your-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "AES256"
      },
      "BucketKeyEnabled": true
    }]
  }'

Enable EBS Encryption by Default

aws ec2 enable-ebs-encryption-by-default

Any new EBS volumes will automatically encrypt. Zero performance impact with modern instances.

RDS Encryption

Encryption must be enabled at creation time — you can’t add it later (you can create an encrypted snapshot and restore).

Always specify --storage-encrypted when creating RDS instances.

The Security Baseline Checklist

  • Root account MFA enabled
  • No root access keys
  • IAM password policy enforced
  • CloudTrail enabled in all regions
  • GuardDuty enabled
  • Security Hub enabled with FSBP standard
  • S3 Block Public Access enabled account-wide
  • EBS default encryption enabled
  • VPC Flow Logs enabled
  • Security groups audited (no 0.0.0.0/0 on sensitive ports)
  • CloudWatch alarms for security events
  • No unused access keys (rotate or delete)

Completing this list puts you ahead of 80% of AWS accounts. Most breaches exploit basics, not sophisticated vulnerabilities.

Need a security audit or help implementing these controls? Contact us for a free assessment.

J

MakFam Solutions

Cloud infrastructure and AI consultant with 6+ years of AWS expertise. Helping small and medium businesses build scalable, secure cloud systems.