De4sec
De4sec Technology
de4sec.technology
๐ŸŒ AU + KE

AWS Cloud Security Guide

Securing AWS environments โ€” IAM, GuardDuty, Security Hub, CloudTrail, and workload protection for businesses using Amazon Web Services.

Prepared by
De4sec Technology
Contact
support@de4sec.technology
Edition
2026 ยท March
CONFIDENTIAL ยท FOR CLIENT USE ONLY
Contents
  1. AWS Shared Responsibility Model
  2. IAM: Identity and Access Management
  3. Threat Detection: GuardDuty and Security Hub
  4. Logging: CloudTrail and CloudWatch
  5. Workload and Data Security
  6. De4sec AWS Security Service
01

AWS Shared Responsibility Model

AWS secures the cloud infrastructure. You are responsible for security in the cloud โ€” everything you configure, deploy, and operate.

AWS SecuresCustomer Secures
Physical infrastructureIAM configuration and policies
Hardware and hypervisorOS on EC2 instances
Core AWS servicesNetwork configuration (VPCs, security groups)
Availability and durabilityApplication code and data encryption
Physical securityMonitoring and incident response

The most common AWS breaches are identity-related: over-permissive IAM roles, exposed access keys, and misconfigured S3 buckets. All are customer-configuration issues, not AWS platform vulnerabilities.

02

IAM: Identity and Access Management

Least Privilege Principles

โœ“No use of the root account for daily operations โ€” create admin IAM users or use SSO
โœ“Assign IAM policies at minimum required scope โ€” never attach AdministratorAccess unless absolutely required
โœ“Use IAM roles for EC2 instances and Lambda functions โ€” not access keys embedded in code
โœ“Rotate access keys regularly โ€” audit and delete unused keys

AWS IAM Identity Center (SSO)

โœ“Centralise access management across multiple AWS accounts
โœ“Integrate with Entra ID or Okta for single sign-on
โœ“Enforce MFA at the identity provider level
โœ“Use permission sets to assign AWS account access โ€” not individual IAM user policies

Service Control Policies

โœ“In multi-account environments, use SCPs to set guardrails across the organisation
โœ“Block services from being used in certain regions
โœ“Prevent disabling of CloudTrail or GuardDuty across the organisation
03

Threat Detection: GuardDuty and Security Hub

Amazon GuardDuty

GuardDuty continuously analyses CloudTrail logs, VPC Flow Logs, and DNS logs to detect threats. It requires minimal configuration โ€” enable it and it starts producing findings immediately.

โœ“Enable GuardDuty in all AWS regions โ€” threats may originate in regions you're not actively using
โœ“Configure GuardDuty findings to flow to Security Hub for centralised management
โœ“Review GuardDuty findings weekly โ€” prioritise High and Critical severity findings
โœ“Enable GuardDuty S3 protection โ€” detect malicious access to S3 buckets

AWS Security Hub

โœ“Centralises findings from GuardDuty, Inspector, Macie, and third-party tools
โœ“Checks against security standards: CIS AWS Foundations, AWS Foundational Security Best Practices
โœ“Provides Security Score โ€” overall posture metric across your accounts
โœ“Aggregate findings across multiple accounts in an AWS Organisation
04

Logging: CloudTrail and CloudWatch

Logging without analysis is noise. But without logging, you have no audit trail when something goes wrong.

โœ“Enable CloudTrail in all regions, in all accounts โ€” log all management and data events
โœ“Configure CloudTrail logs to an S3 bucket with MFA delete โ€” prevents attackers from deleting evidence
โœ“Enable CloudTrail log file integrity validation โ€” detect tampering
โœ“CloudWatch Alarms โ€” alert on root account usage, API error rates, failed authentication attempts
โœ“VPC Flow Logs โ€” capture network traffic metadata for all VPCs

CloudTrail is the forensic audit trail for everything that happens in your AWS account. Without it, incident investigation is nearly impossible. Enable it now if you haven't.

05

Workload and Data Security

EC2 Instances

โœ“Patch OS and applications regularly โ€” use AWS Systems Manager Patch Manager
โœ“Enable Amazon Inspector โ€” automated vulnerability scanning for EC2 and containers
โœ“Enforce IMDSv2 โ€” prevents SSRF attacks against instance metadata
โœ“Security Groups: deny by default, allow by exception โ€” no 0.0.0.0/0 ingress unless absolutely required

S3 Security

โœ“Block public access at account level โ€” unless specific buckets require it
โœ“Enable S3 server-side encryption by default โ€” AWS KMS or S3-managed keys
โœ“Enable Amazon Macie โ€” automatically discover and protect sensitive data in S3
โœ“S3 bucket policies: least privilege, no wildcard Principal unless required

Encryption

โœ“Enable encryption at rest for all storage: EBS, S3, RDS, DynamoDB
โœ“Use AWS KMS customer-managed keys for sensitive data โ€” not AWS-managed keys
โœ“Enable encryption in transit โ€” TLS 1.2 minimum, enforce HTTPS on all endpoints
06

De4sec AWS Security Service

Security Assessment
Review AWS environment against CIS benchmarks and AWS Foundational Security Best Practices. Produce prioritised remediation plan.
Security Baseline
Implement GuardDuty, Security Hub, CloudTrail, IAM hardening, and network security controls.
Ongoing Monitoring
GuardDuty and Security Hub alert monitoring. Weekly findings review. Monthly compliance report.
Incident Response
When a GuardDuty finding indicates active threat: containment, investigation, remediation, post-incident report.
// NEXT STEP

Ready to implement this?

De4sec provides hands-on implementation. Book a free discovery call โ€” we assess your environment at no cost, no obligation.

Book a Free Discovery Call โ†’de4sec.technology
De4sec
ยฉ 2026 DE4SEC TECHNOLOGY. ALL RIGHTS RESERVED.