Recent content

The foundations of a secure agentic architecture

The foundations of a secure agentic architecture

How to secure the new generation of EUD

How to secure the new generation of EUD

AI browsers, a risky innovation

AI browsers, a risky innovation

SAAS security starts with you

SAAS security starts with you

Popular topics

CSA Framework Responsability Model SAAS SSPM agentAI agentic agenticAI ai architecture aws beginner browser cloud crypto cybersecurity data genai guardrail iam innovation introduction keys kms landingzone mcp multi-cloud report security strategy vibe coding
aws introduction beginner security

AWS Security Basics - A Beginner's Guide

Security in AWS is a topic that can prove complex, and it is sometimes useful to start by reviewing the basics.

Cédric Thibault
Cédric Thibault
AWS Security Basics - A Beginner's Guide
Photo generated by Gemini

Introduction

Security within the AWS environment represents a critical component of cloud architecture. Implementing rigorous security practices is imperative for protecting data and deployed applications, because contrary to some popular belief, security in the Cloud is not by default. This post presents the foundations of AWS security, focusing on Identity and Access Management (IAM), Security Groups, and Virtual Private Clouds (VPC). Of course, this is not exhaustive and many other components are important, but these truly represent the foundation.

Identity and Access Management (IAM):

The AWS IAM service allows for granular control of access permissions to AWS resources. And when I say granular, it’s REALLY very granular… Identity management is carried out through the following entities:

  • Users, Groups, and Roles: IAM users represent individuals or applications. They can connect (or not depending on permissions) to the console and command line in AWS. It’s the simplest way to create access to AWS, but in reality not the most secure. Indeed, with these users it is possible to create access keys, and the problem is that these access keys are unprotected and permanent by default. We would recommend using federated access instead via an external identity provider like Entra ID, however there are often special cases where they are necessary. Groups facilitate the management of permissions for sets of users. AWS recommends systematically placing users in groups and always assigning permissions to groups rather than directly to users. Roles assign permissions to AWS services. You can think of them as service accounts.
  • Policies: IAM policies define the actions an entity can take on AWS resources. Applying the principle of least privilege is highly recommended. For beginners, AWS provides managed policies, which simplify the granting of permissions (AWSS3Administrator for example). However, keep in mind that these managed policies never respect the principle of least privilege and that giving too many permissions to your users represents a significant and documented risk. You can (and should) favor “custom” policies, defined manually.
  • Multi-Factor Authentication (MFA): Enabling MFA authentication is an essential security measure to strengthen account protection. You should ALWAYS require MFA for your accesses, it’s absolutely essential! Especially for the Root account of your AWS environment, which is a special account that does not appear in the IAM console and is your Break-glass account. AWS now offers the option to have multiple possible MFAs simultaneously on accounts, which is convenient for having a backup MFA.

For an in-depth understanding, please consult the official AWS documentation:

AWS IAM Overview IAM Best Practices

Security Groups:

Security groups act as virtual firewalls for EC2 instances, controlling incoming and outgoing traffic at the TCP and UDP port levels. They can also be assigned to Load Balancers or Kubernetes pods, for example. These security groups are Stateful, which means you don’t have to worry about traffic in response to a communication.

  • Inbound and Outbound Rules: These rules define the allowed protocols and ports, as well as the source and destination IP addresses. By default, all incoming (ingress) communications are blocked. Therefore, if you cannot connect to your server even though it seems healthy, this is often a good place to investigate. On the other hand, outgoing communications are all open by default. WHICH IS NOT RECOMMENDED! The majority of your servers should not have to connect to anything other than TCP 80 and 443. Therefore, configure your outbound security groups as strictly as possible.
  • Configuration: Precise configuration of security groups is essential to limit exposure to risks. Both inbound and outbound. Note that it is possible to assign multiple security groups to an instance as well as assign the same security group to multiple instances. Also, these groups do not allow filtering URLs, only IP addresses. To filter URLs you will need to use an additional service which is Network Firewall.

AWS Documentation, regarding security groups:

Amazon EC2 Security Groups for Linux Instances

Virtual Private Clouds (VPC):

The VPC service allows the creation of an isolated network within the AWS infrastructure. The good news is that this network is REALLY isolated by default. Even within the same AWS account, if you have multiple VPCs, your servers will have no awareness of the presence of those located in another VPC. Perfect for applying segmentation, as there are of course possibilities to granularly connect VPCs together. In particular, Dev and Prod VPCs can be found within the same AWS account.

  • Subnets: Public and private subnets segment the network and control access to the Internet. Subnets allow micro-segmentation to be applied within a VPC, with filtering rules between subnets applied via NACLs.
  • Route Tables: Route tables define the communication paths between subnets and gateways.
  • Internet and NAT Gateways: These gateways provide connectivity between the VPC and the Internet, while preserving the security of private instances. What you need to understand is that it is quite possible to have VPCs without any Internet access, with a connection to your servers made via the AWS console. Not very practical but possible for some scenarios. In all cases, it is recommended not to assign public IP addresses directly to your servers but to place them in a private zone, with Internet access via NAT Gateway. To publish your servers on the Internet, you can then use a load balancer that will filter the incoming traffic.

Additional information about the AWS VPC service:

What is Amazon VPC?

Some additional services:

Using the AWS Config and Trusted Advisor services allows for continuous evaluation of the security posture. Config in particular is very useful because it allows you to continuously record the configuration of your Cloud objects and be able to maintain a sort of CMDB.

Implementing logging and monitoring via CloudTrail and CloudWatch is essential for anomaly detection. Cloudtrail is quickly a service to explore because whether you will generate useful and intact logs or not depends on its proper configuration. Cloudwatch is more of a service that allows you to query logs and metrics (a sort of managed Greylog).

Finally, AWS offers very interesting security solutions like GuardDuty for threat detection (essential when you start) and Inspector to detect vulnerabilities (ridiculously simple to activate, it is also a must-have when you start your AWS journey).

Conclusion:

Security in the AWS environment requires a rigorous and proactive approach. Mastery of IAM, Security Groups, and VPC services constitutes an essential foundation for protecting cloud resources, but as specified in the previous chapter, many additional components are necessary. For this, it is essential to devote enough time at the beginning to fully understand the main AWS objects.

AWS Security Basics - A Beginner's Guide
Older post

Analysis of Datadog's 2024 State of Cloud Security Report

Datadog is a well-known player in cloud security, and its state of security report is always full of insights.

Newer post

MCP - The Explosion of Agentic AI

The MCP protocol was recently released by Anthropic and adopted by many companies. Discover the potential of this protocol in this article.

AWS Security Basics - A Beginner's Guide

You may also like

See all aws
The responsibility of security in the Cloud
Cédric Thibault

The responsibility of security in the Cloud

2025 Status Report on Cloud Threats and Strategies
Cédric Thibault

2025 Status Report on Cloud Threats and Strategies

Data Encryption in AWS
Cédric Thibault

Data Encryption in AWS

Securing Your AWS Access Keys
Cédric Thibault

Securing Your AWS Access Keys