When I started using AWS I did it like everybody else who is new to a particular technology. Playing around, trying out things, but with a focus on what services I plan to use. In that case, all I wanted was to run a virtual machine in the cloud.

As for security, I had some vague idea of what to avoid, such as allowing SSH login with a password or allowing all incoming traffic to the instance with the firewall. But those were just the general best practices, nothing specific to AWS. One notable exception is that I started using a dedicated admin account instead of the root user as it was prominently featured on the IAM page.

Much later when I was preparing for my AWS Security certificate exam I stumbled on a question on how to get notified on root account login. I had no idea that was possible. It turned out there was no checkbox on the IAM page, but by going to CloudWatch Events, I could add an event rule that notifies an SNS topic which in turn sends me an email. Simple, right?

But this immediately piqued my curiosity: if this is possible, maybe there are other things that are similarly hidden under some seemingly unrelated service that provides something useful in regards to account security.

I then started deliberately looking for configs and best practices that are useful for anybody using AWS. This short guide is a collection of 5 things that I believe will help you avoid the rookie mistakes I did when I was starting out and significantly enhance your security posture.

This guide focuses on what to do and covers only the necessary amount of theory.

And it’s not just the PDF itself. I’ve been writing about AWS and security for quite some time, which means there are a lot of articles on this blog. You’ll learn about different aspects of AWS from a few follow-up emails.


The ebook comes as 2 PDFs: there is a normal version and one that is optimized for the small screen. You can read on your laptop or on your phone without compromising on structure.


It’s free.


Sign up and get the Ebook. No spam, unsubscribe at any time.