Skip links

Best practices for securing your AWS account

Detection control

In AWS, we can configure our account to analyze its behavior, alert changes in the configuration, track user actions to identify inappropriate behavior, and protect from deletion or misuse of data. This uses different services with the best practices that AWS recommends, which we will see below.

“When we have an AWS account, it’s necessary to monitor the environment to identify a threat or a failure.”

1.- Monitoring and Registration

Use the integrated AWS platform for monitoring and alerts.


CloudTrail allows the analysis and gives us resources to track changes and security compliance of accounts, but it is necessary to enable logging for all accounts, services, and regions.
CloudTrail detective security best practices

Amazon CloudWatch

CloudWatch helps us monitor and ensure that all of our workloads are running smoothly by collecting operational and monitoring data that is delivered in the form of logs, metrics, and events.

In CloudWatch, we can analyze the behavior of our developments and send alerts when there are unexpected behaviors that require some action from us.
Analyzing AWS CloudTrail in Amazon CloudWatch

With CloudWatch, we can analyze different categories of logs that are infrastructure (VPC), host (NGINX/Apache/IIS), services (S3,ELB) and review additional security-related events, for example:
– Write to Amazon S3
– Send SNS.

Use a separate AWS account to obtain and store copies of all logs.

You must set up a secure account to copy logs to a separate repository. This ensures access to information that can be useful in security workflows and incident response.

2.- VPC monitoring

We can send logs directly to CloudWatch Logs or Amazon S3 and thus monitor the traffic carried on the account, making troubleshooting easier.

As best practices, we create alerts that notify us if any changes are made to the configuration. For example, creating an alarm that tells us when changes are made to a VPC configuration: Create alarm for VPC configuration changes

3.- S3 monitoring and detection

We can enable the logging of actions performed by users, roles, or AWS services on Amazon S3 resources and maintain logs for auditing and compliance purposes.
Enabling Amazon S3 server access logging

Avoid delivered or accidental bucket deletion.
We enabled MFA Delete so that when the user wants to delete a bucket, it is necessary to include the MFA code.
Deleting an object from an MFA delete-enabled bucket

S3 Alert

Create an alarm that alerts us when they want to upload or delete an object in a bucket.
Creating CloudWatch alarms for CloudTrail events: examples

4.- RDS detection

Have our RDS in a private VPC with a control on the EC2s that have access to the RDS through Security Groups. Use IAM policies with customized permissions for each user group that needs to manage RDS.
Use in Transit or in rest encryption. SSL and TLS.
RDS Security Best Practices

5.- Detection in Application Load Balancer

Enable the records in ELB. ELB Access Logs

6.- Detection in CloudFront

At CloudFront, we recommend encrypting data in Transit at Rest and restricting access to content appropriately. CloudFront Security

As the main recommendation, it is recommended to enable CloudFront logging to monitor the requests made to CloudFront on the account.Configure & Access CloudFront Logs

These are some of the different services with AWS’s best practices. In XalDigital we can advise you to be up to date with the best practices, knowledge, and technological solutions for your business. Contact us and get to know our solutions for your business.

This website uses cookies to improve your web experience.