Back to resourcesCloud

AWS security checklist for regulated workloads

April 27, 2026 · 7 min read

Running regulated workloads on AWS requires a security posture that goes beyond default configurations. Whether you are subject to CMMC, FedRAMP, HIPAA, or SOC 2, the fundamentals are the same: identity controls, encryption, logging, monitoring, and network isolation.

This checklist covers the high-impact security controls that every AWS account handling sensitive data should have in place.

IAM best practices

Identity and Access Management is the foundation of AWS security. Misconfigurations here create the most common and most exploitable vulnerabilities.

  • Enable MFA on all human accounts. Hardware security keys are preferred for privileged accounts. Software TOTP is acceptable for standard users. SMS-based MFA should be avoided.
  • Use IAM Identity Center (SSO). Federate with your identity provider rather than creating standalone IAM users. This centralizes access management and simplifies offboarding.
  • Apply least privilege. Start with no permissions and add only what is needed. Use IAM Access Analyzer to identify unused permissions and tighten policies over time.
  • Eliminate long-lived access keys. Use IAM roles and temporary credentials wherever possible. If access keys are required, rotate them regularly and monitor for key age using AWS Config rules.
  • Set SCPs at the organization level. Service Control Policies prevent even administrators from performing dangerous actions like disabling CloudTrail or modifying critical security configurations.

Enable GuardDuty

AWS GuardDuty is a managed threat detection service that analyzes CloudTrail logs, VPC Flow Logs, and DNS query logs using machine learning and threat intelligence. It requires no agents, no infrastructure, and minimal configuration.

  • Enable GuardDuty in every region, not just the regions you use. Attackers often operate in unused regions to avoid detection.
  • Enable S3 protection to detect anomalous access patterns on your buckets.
  • Enable EKS protection if you run Kubernetes workloads.
  • Route findings to Security Hub for centralized visibility.

Configure Security Hub

AWS Security Hub aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools into a single dashboard. It also runs automated compliance checks against security standards.

  • Enable the AWS Foundational Security Best Practices standard.
  • If subject to compliance requirements, enable the relevant standard (CIS Benchmarks, NIST 800-53, PCI DSS).
  • Set up automated notifications for critical and high-severity findings.
  • Review findings weekly and track remediation in a ticketing system.

AWS Config rules

AWS Config continuously records resource configurations and evaluates them against rules. This provides continuous compliance monitoring and drift detection.

  • Enable Config recording in all regions and for all resource types.
  • Deploy managed rules for common checks: encrypted EBS volumes, public S3 buckets, unrestricted security groups, and IAM password policies.
  • Use Config conformance packs for framework-aligned rule sets.
  • Set up auto-remediation for critical rules using Systems Manager Automation.

Encryption with KMS

Encryption at rest and in transit is a baseline requirement for regulated workloads. AWS Key Management Service (KMS) provides centralized key management with audit trails.

  • Use customer-managed KMS keys (CMKs) rather than AWS-managed keys for regulated data. CMKs give you control over key policies and rotation.
  • Enable automatic key rotation (annual rotation for symmetric keys).
  • Encrypt all data stores: S3, EBS, RDS, DynamoDB, EFS, and Secrets Manager.
  • Enforce TLS 1.2 or higher for all data in transit.
  • For CMMC and FedRAMP workloads, verify that your KMS configuration uses FIPS 140-2 validated endpoints.

VPC design and network isolation

Network architecture is your primary defense against lateral movement. Regulated workloads should be isolated from general-purpose infrastructure.

  • Place sensitive workloads in private subnets with no direct internet access.
  • Use VPC endpoints for AWS service access instead of routing through the internet.
  • Implement security groups with the principle of least privilege. Deny all inbound by default and open only required ports.
  • Use Network ACLs as a secondary layer for subnet-level controls.
  • Enable VPC Flow Logs and send them to a centralized logging account.

Logging with CloudTrail

CloudTrail records every API call made in your AWS account. For regulated workloads, this is your audit trail and your forensic data source.

  • Enable CloudTrail in all regions with multi-region trail configuration.
  • Enable data event logging for S3 and Lambda to capture object-level and function-level activity.
  • Store CloudTrail logs in a dedicated, locked-down S3 bucket with versioning and MFA delete enabled.
  • Send logs to a centralized logging account that application teams cannot access.
  • Set up CloudTrail log file integrity validation to detect tampering.

S3 security

S3 is one of the most commonly misconfigured AWS services. Public bucket exposures have been responsible for some of the largest data breaches in recent years.

  • Enable S3 Block Public Access at the account level. Override only when absolutely necessary and with documented justification.
  • Enable server-side encryption with KMS for all buckets containing sensitive data.
  • Enable versioning and MFA delete on critical buckets.
  • Use bucket policies to restrict access by VPC endpoint, IP range, or IAM principal.
  • Enable access logging to track who accesses what.

Container security

If you run containers on ECS or EKS, additional controls are required.

  • Scan container images for vulnerabilities before pushing to ECR. Use Amazon Inspector or a third-party scanner.
  • Enable ECR image scanning on push.
  • Use minimal base images (distroless or Alpine) to reduce the attack surface.
  • Run containers as non-root users.
  • Use Fargate where possible to eliminate host management responsibilities.
  • For EKS, enable audit logging and use pod security standards to restrict privileged containers.

Monitoring and alerting

Detection without response is just logging. Build alerting workflows that ensure critical findings reach the right people.

  • Route Security Hub and GuardDuty findings to SNS topics or EventBridge rules.
  • Integrate alerts with your ticketing system (Jira, ServiceNow) or chat platform (Slack, Teams).
  • Create CloudWatch alarms for key metrics: unauthorized API calls, root account usage, IAM policy changes, and security group modifications.
  • Conduct quarterly reviews of alert effectiveness. Tune or suppress noisy alerts and escalate alerts that are being ignored.

Putting it all together

No single control is sufficient on its own. AWS security for regulated workloads requires layered defenses across identity, network, encryption, logging, and monitoring. Start with IAM and logging, then layer on GuardDuty, Security Hub, and Config. Iterate continuously as your environment and compliance requirements evolve.

If you are unsure where your gaps are, a security audit is the fastest way to get a prioritized roadmap. Thirty minutes of expert review can save months of misdirected effort.

Ready to make security a build step?

Schedule a Free Audit