AWS Best Practices: 5 Must-Follow Security Tips for New Users

Raju MandalRaju Mandal
3 min read

Security in AWS is a shared responsibility—AWS manages the security of the cloud, while you are responsible for security in the cloud. For beginners, misconfigurations can lead to data breaches, unexpected costs, or service disruptions.

In this guide, we’ll cover five essential AWS security best practices every new user should implement immediately.

1. Never Use the Root Account for Daily Tasks

The AWS root account has unrestricted access to all services and resources. If compromised, attackers can take full control of your AWS environment.

Best Practice:

  1. Create an IAM user with admin privileges (but not root).

  2. Enable Multi-Factor Authentication (MFA) on the root account.

  3. Use IAM roles and policies for granular permissions.

aws iam create-user --user-name AdminUser
aws iam attach-user-policy --user-name AdminUser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

2. Enable Multi-Factor Authentication (MFA) Everywhere

Passwords alone are weak. MFA adds an extra layer of security.

Best Practice:

  1. Enforce MFA for all IAM users.

  2. Use virtual MFA (Google Authenticator/Authy) or hardware keys (YubiKey).

AWS CLI command to enable MFA:

aws iam enable-mfa-device --user-name AdminUser --serial-number arn:aws:iam::123456789012:mfa/AdminUser --authentication-code-1 123456 --authentication-code-2 789012

3. Apply the Principle of Least Privilege (PoLP)

Giving excessive permissions increases security risks.

Best Practice:

  1. Start with minimal permissions and expand as needed.

  2. Use AWS Managed Policies (e.g., ReadOnlyAccess) before creating custom ones.

  3. Regularly audit permissions with AWS IAM Access Analyzer.

📌 Example of a restrictive S3 policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::example-bucket/*"]
    }
  ]
}

4. Use AWS CloudTrail for Activity Logging

Without logging, you won’t know who did what in your AWS account.

Best Practice:

  1. Enable CloudTrail in all regions.

  2. Store logs in an S3 bucket with encryption.

  3. Set up alerts for suspicious activities (e.g., root login).

Enable CloudTrail via CLI:

aws cloudtrail create-trail --name MySecurityTrail --s3-bucket-name my-cloudtrail-logs --is-multi-region-trail

5. Secure Your S3 Buckets (Avoid Public Exposure)

Misconfigured S3 buckets are a leading cause of data leaks.

Best Practice:

  1. Block all public access at the account level.

  2. Use bucket policies & ACLs carefully.

  3. Enable S3 encryption (SSE-S3, SSE-KMS).

Block public access via AWS Console:

  1. Go to S3 → Block Public Access settings.

  2. Enable "Block all public access".

Conclusion

Following these five AWS security best practices will significantly reduce risks:

  1. Avoid using the root account.

  2. Enable MFA everywhere.

  3. Follow least privilege in IAM.

  4. Enable CloudTrail logging.

  5. Secure S3 buckets.

By implementing these steps, you’ll build a strong security foundation in AWS.

Next Steps

  1. Try these in your AWS account today.

  2. Check out AWS Well-Architected Framework for deeper insights.

0
Subscribe to my newsletter

Read articles from Raju Mandal directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSBeginner DevelopersAWS Best Practices

Written by

Raju Mandal
Raju Mandal

A digital entrepreneur, actively working as a data platform consultant. A seasoned data engineer/architect with an experience of Fintech & Telecom industry and a passion for data monetization and a penchant for navigating the intricate realms of multi-cloud data solutions.