Typically, you will start with basic security measures in place and then rapidly iterate from there to improve your overall cloud security model and/or implementation. Before designing any of your security solutions, you will need to identify and then classify the assets you need to protect into high/medium/low risk categories. This is often a non-trivial undertaking in large enterprises. Asset data is typically entered manually in most organizations, and it relies heavily on human accuracy. Capturing this data programmatically results in better efficiency and accuracy. Integrate AWS, APIs with your existing enterprise asset management systems, and include your CloudFormation templates or scripts as artifacts in your configuration management database to get a better handle on your cloud assets.

In order to get off the ground faster, take full advantage of everything that is provided out of the box by AWS, whether it is security groups, network ACLs, or the ability to turn CloudTrail on for all your AWS accounts. In addition, we typically implement Infrastructure as Code (IAC) on AWS Cloud and include security in the whole deployment process. For example, when code is deployed on a new EC2 instance, the OS hardening should happen as a part of the build pipeline.

The AWS Identity and Access Management (IAM) service is central to implementing security for your applications on AWS cloud. Some of the main activities and best practices for AWS IAM are listed below:

• Use IAM to create users, groups, and roles, and to assign appropriate permissions.
• Manage permissions using groups. You assign permissions to groups and then assign individuals to them. While assigning permissions to groups, always grant the least privilege. AWS provides several policy templates for each of their services. Use these policy templates, as they are a great starting point for setting up the permissions for AWS services. For example, you can quickly set up permissions for a group that has read-only access to S3 buckets.
• In your ISMS, you will need to define a set of roles and responsibilities and assign specific owners to particular security-related tasks and controls. Depending on your choices, these owners may be a combination of people within your organization, or AWS partners, third-party service providers, and vendors. Map each of these owners to appropriate AWS IAM roles.
• Use IAM roles to share access. Never share your credentials for giving access, temporarily or otherwise. Restrict privileged access further by using IAM conditions, and reduce or eliminate the use of root credentials.
• Use IAM roles for getting your access keys to various EC2 instances. This eases rotation of keys as the new set keys can be accessed via a web service call in your application.
• Enable multi-factor authentication for privileged users. For example, users that have permissions to terminate instances.
• Rotate security credentials regularly. Rotate both your passwords and access keys.

There are a few other security-related best practices that are commonly implemented using IAM. For example, you can configure the rules to support your company's password policy. It is advisable to configure a strong password policy for use on the cloud. Other best practices relate to using the AWS Security Token Service to provide just-in-time access for a specific duration to complete a task.