It is key to regularly review and audit your security controls and implementation using a combination of internal and external audits. They are primarily done to ensure your implementation matches your overall security design and objectives. In addition, these reviews and audits can ensure that your implementation limits the damage in case of any security flaws in your architecture. Overall, these exercises are very useful because they help you remain safe as well as satisfy your customers’ security requirements on an ongoing basis.

Typically, these detailed reviews include a review of your network configuration including all your subnets, gateways, ACLs, and security groups. In addition, adherence to IAM best practices, AWS service usage, logging policies, and CloudWatch thresholds, alarms, and responses are also reviewed in-depth.

Your architecture and infrastructure usage will evolve over a period of time. For example, with deployments in new AZs and regions, new roles may get defined, permissions may be created and/or granted, new AWS accounts created, and so on. Verifying changes to your architecture and infrastructure can ensure that you are continuing to meet your security goals.

In the following sections, we will describe the features and walk you through the process of setting up security for our sample application. This will include using IAM roles and the Key Management Service, configuring SSL, and implementing security for data at rest in Amazon S3 and RDS.