I've drawn upon a number of best practices, security guidelines, and government department information security recommendations to create my own set of general recommendations on how to secure your AWS Cloud.

It is important to understand that these are my general recommendations and that while I've tried to make them applicable to a variety of situations, you will need to tailor them your specific situation.

Note: Items below that are not linked represent articles that are yet to be written / works in progress.


The following are concepts that I've drawn inspiration from and have incorporated at least parts of into my recommendations.


  • The importance of logging
  • Using AWS Cloudwatch Logs for log storage
  • Sample AWS Cloudformation templates of logging infrastructure 
  • AWS provided log file uploaders
    • Limitations of the EC2 Config Service for uploading Windows event logs
    • Configuring the EC2 Config Service for Windows event log uploading
    • Uploading Linux logs
  • Introducing the AWS Gun For Hire CW Event Log Uploader
  • Logging aggregated network traffic (VPC flow logs)

Two Factor Authentication

  • Installing Duo Security's 2FA on Linux
  • Installing Duo Security's 2FA on Windows
    • Configuring Group Policy to automatically install Duo Security's 2FA for all Windows servers

Microsoft's Enhanced Mitigation Experience Toolkit (EMET)


EC2 Encrypted Volumes

  • Creating an encrypted boot volume for a new Windows instance
  • Encrypting the boot volume of an existing instance
  • Launching a Linux / non-Windows instance with an encrypted boot volume
  • Encrypting non-boot volumes