AWS Hardening

This section covers Amazon Web Services hardening across the six security domains. Each domain page maps cross-cutting principles (covered in the General section) onto specific AWS services and configuration primitives.

Content is authored progressively: IAM ships first as a pilot (Phase 5), followed by Network, Data Protection, Logging & Detection, Workloads, and Incident Response in subsequent phases.

Domains

• IAM — root MFA, IAM Identity Center, SCPs, permission boundaries, Access Analyzer
• Network — VPC design, security groups, NACLs, VPC endpoints, WAF, Shield, Route53 DNSSEC
• Data Protection — S3 Block Public Access, SSE-KMS, EBS/RDS encryption, Macie, KMS key policies
• Logging & Detection — CloudTrail, Config, GuardDuty, Security Hub, VPC Flow Logs, CloudWatch alarms
• Workloads — EC2 IMDSv2, SSM Session Manager, ECR, Inspector, Lambda least privilege, EKS hardening
• Incident Response — break-glass, evidence preservation, EventBridge containment, CloudTrail forensics
• GenAI Security — Bedrock IAM least privilege, Guardrails content filter + prompt attack, VPC endpoints, invocation logging, CloudTrail data events, Agent role scoping, Knowledge Base auth, cross-region inference controls, org-level enforcement
• Kubernetes — EKS private cluster, EKS Pod Identity, KMS envelope encryption, Cluster Access Management API, IMDSv2 + hop-limit 1, CloudWatch Container Insights, EKS-managed add-ons, network policy, Bottlerocket/AL2023, Pod Security Standards

This page is a Phase 2 stub. Section overview content arrives in later phases.