AWS Security Best Practices

Work In Progress: This is a collection of resources guided to help you with your everyday AWS Security.

AWS Organizations Structure

If you have many AWS Accounts you will want to take advanatge of AWS Organizations. AWS Organizations allos

OU Structure

  • Root OU
    • Prod OU
    • Staging OU
    • Dev OU
      • Individual Accounts OU
    • Core Services OU

Standard AWS Accounts

Security Account

This account is where you will run any security type services, tools, or sofware.

For example, this can be:

  • AWS Guardduty Delegated Admininistrator
  • ScoutSuite Scanning Tool
  • HashiCorp Vault

Logging Account

This account is where your immutable logs will go. It's purpose is to house important security logs that must have a high degree of integrity for security and possibly compliance reasons. This would include Object-Lock and Service Control Policies that prevent the deletion of data.

For example, logs sent here would include:

  • AWS CloudTrail Logs
  • Authentication and Access Logs

AWS CloudTrail Configuration

AWS Cloud Trail - Creating The S3 Bucket In Your Logging Account

The following are details on how to best securely create your S3 bucket for CloudTrail use.

Much of this is very similar to AWS S3 Bucket Security Best Practices.

This S3 bucket must live your Logging account. An account


  • Enable Block ALL public access
  • Enable Bucket Versioning
  • Enable Encryption (SEE-S3)
  • Enable Object Lock

Enable Block Public Access

Document image

Enable Bucket Versioning

Document image

Enable Default Encryption

Document image

Enable Object Lock

Document image

Document image

Add This Bucket Policy To Allow Cloudtrail Logging


Create An Organizational Cloudtrail

  1. Go to your management AWS Account (Organizational Root) and select the CloudTrail services
Document image

^ The AWS Console will default you to "Quick trail create" as shown below... please DISREGARD. Instead click on the menu icon on the left and select "Trails"


2. Go to Trails

Document image

This is the screen you should see
This is the screen you should see

3. Create the Organizational Cloudtrail

  1. Select a name like company-org-trail
  2. Check the box Enable for all accounts in my organization
  3. Select Use existing S3 bucket and enter the S3 bucket created in the previous step

Document image

AWS S3 Security

Database Security

RDS Security

EKS Security

EC2 Security

AWS Amplify Security