AWS security baseline checklist for new accounts

A fresh AWS account ships with public access defaults that have caused thousands of public S3 leaks. Securing it is procedural, not creative — apply a documented baseline before workloads land. The CIS AWS Foundations Benchmark v3.0 and AWS Foundational Security Best Practices in Security Hub provide the canonical control list. Aim to land all baseline controls within the first week of account provisioning.

Identity and access first. Enable AWS Organizations with all features and Service Control Policies. Disable root user access keys; if any exist, delete them. Enforce MFA on the root user with a hardware key. Use AWS IAM Identity Center (formerly SSO) federated to your corporate IdP rather than IAM users. Apply the AWS-managed permission sets initially, then refine with permissions boundary policies. Enable CloudTrail for all regions, including data events for S3 and Lambda where data sensitivity warrants, with logs sent to a central log archive account in a different region.

Networking and storage second. Block public access at the account level for S3 — Block Public Access has been on by default since 2023 but verify per bucket. Enable EBS encryption by default per region. Enable GuardDuty in all regions; the protection plans for S3 and EKS are inexpensive and high-value. Turn on Security Hub with the CIS and AWS FSBP standards subscribed. Configure AWS Config with conformance packs aligned to your compliance program. Enable VPC Flow Logs for production VPCs at minimum.

Workload security third. Patch via Systems Manager Patch Manager on a schedule. Encrypt RDS and Aurora storage with KMS Customer Managed Keys for sensitive data. Enable point-in-time recovery for all production DynamoDB tables. Use ECR Image Scanning enhanced with Inspector for container CVE detection. Tag every resource with owner, environment, data classification, and cost center — drives both incident response and cost governance. Document the baseline as Infrastructure-as-Code (Terraform with the AWS Foundation modules, AWS CDK, or CloudFormation) and apply it via account vending machine to every new account.