Do I still need VPNs if I use AWS Verified Access?

Often not for private web apps. Verified Access evaluates identity and device posture per request and enforces per-application policies. Retain VPNs for non-HTTP or legacy protocols.

What’s new in AWS Security Hub for 2025?

Security Hub continues to add controls and improve central configuration. Enable the AWS Foundational Security Best Practices and CIS 3.0 standards across the organization and review new controls regularly.

For EKS authentication, should I use IRSA or EKS Pod Identity?

IRSA remains the standard for fine-grained permissions. EKS Pod Identity simplifies credential delivery. Use either to avoid node credentials and to scope least privilege per workload.

AWS Security Best Practices (2025)

Q: Is S3 secure by default now that encryption is automatic?

Default encryption reduces risk, but exposure typically comes from access misconfiguration. Keep Block Public Access enabled, restrict access with bucket and VPC endpoint policies, and continuously scan data with Amazon Macie.

Q: What’s the fastest path to organization-wide logging on AWS?

Create a multi-Region CloudTrail organization trail and use CloudTrail Lake for querying. Centralize telemetry with Amazon Security Lake using the OCSF schema to power analytics and SIEM.

Q: How do I prevent accidental public sharing of images and backups?

Enable Block Public Access for AMIs and EBS snapshots in every Region and monitor posture with AWS Security Hub.

I’ve spent the last decade hardening AWS at scale—regulated industries, multi-account enterprises, and scrappy startups. This 2025 guide distills what actually reduces risk in AWS right now, mapped to today’s services and defaults, with concrete moves you can ship this quarter.

AWS Security Best Practices 2025 illustrated as a multi-layered, impregnable fortress protected by KMS encryption, VPC isolation, WAF, GuardDuty, and CloudTrail logging.

TL;DR (Exec cut):

1)Force strong identity (root MFA, workforce SSO, passkeys)
2) kill public exposure by default (BPA across S3/EBS/AMIs/VPC)
3) encrypt everything (KMS and key hygiene)
4) log and normalize (CloudTrail org trails + Security Lake/OCSF)
5) detect & respond (GuardDuty, Inspector, Security Hub)
6) segment networks (PrivateLink, Lattice, Network Firewall)
7) automate guardrails (Organizations, SCPs, Control Tower)
8) harden EKS/Lambda/ECR supply chain.

What changed since last year (2025 highlights)

S3: server-side encryption is on by default—you still need policy guardrails, but “forgot to encrypt” is mostly gone in 2025. AWS Documentation
AWS root-account MFA is required; the requirement rolled out organization-wide, so treat non-compliant accounts as break-glass until fixed. Amazon Web Services, Inc.+1
Zero-trust access matured: AWS Verified Access (device posture + IdP + per-app policy) and VPC Lattice (service-to-service auth with IAM/OIDC) are now mainstream options. AWS Static+2AWS Documentation+2
Security Lake updates improved org/Region roll-ups and OCSF normalization—use it to unify detections across accounts and tools. AWS Documentation+1
GuardDuty & Inspector: EKS runtime/Lambda code scans and ECR enhanced scanning raised the bar for runtime/vuln coverage. AWS Documentation+2Amazon Web Services, Inc.+2
Block Public Access expanded beyond S3 (EBS snapshots, AMIs) and VPC Block Public Access gives you an account-level off-switch for public paths. Amazon Web Services, Inc.+2Amazon Web Services, Inc.+2
Passkeys/WebAuthn now available in IAM Identity Center—use them to drop OTP fatigue and improve phishing resistance. Amazon Web Services, Inc.

The AWS Security Stack (2025 edition)

1) Identity: Zero-trust by default

Must-dos:

MFA everywhere; root MFA enforced. Audit org accounts, break-glass vault, and hardware-key for administrators. Amazon Web Services, Inc.+1
Workforce access via IAM Identity Center (SAML/OIDC), use passkeys for phishing-resistant MFA, and short-lived role sessions. Amazon Web Services, Inc.
Least privilege with policy validation (IAM Access Analyzer—policy checks and generation) and scoped permission boundaries. AWS Documentation
App-level authz: adopt Amazon Verified Permissions (Cedar) for fine-grained ABAC/RBAC in custom apps. AWS Documentation+1

Org-level guardrails: use AWS Organizations + SCPs to block ghost permissions and risky APIs (e.g., iam:*AccessKey*, disabling CloudTrail). Control Tower to standardize baselines/guardrails at scale. aws.permissions.cloud+1

2) Data protection: Encrypt by default, prove it continuously

S3: Default SSE-S3 helps, but enforce Block Public Access at account + bucket level, bucket policies tied to VPC endpoints (aws:SourceVpce), and Macie for continuous sensitive-data discovery. AWS Documentation+2AWS Documentation+2
KMS: Use customer-managed keys for regulated data; consider multi-Region keys and External Key Store (XKS) where HSM/sovereignty is required. eCloudvalley Digital Technology+1
Databases: Turn on at-rest + in-transit encryption for RDS/Aurora; rotate RDS CA certs on schedule. AWS Documentation+2AWS Documentation+2
TLS: Enforce TLS 1.2+ to meet AWS endpoint deprecations. AWS Documentation+1

3) Network: Private paths first, internet last

Prefer PrivateLink (VPC endpoints) to reach AWS services and SaaS; restrict with endpoint policies + resource policies. AWS Documentation+1
For service-to-service inside/between VPCs, evaluate VPC Lattice with IAM/OIDC auth and L7 policies. AWS Documentation+1
Enable VPC Block Public Access to centrally stop public routability; default subnets private, egress via NAT. AWS Documentation+1
Edge/app protections: AWS WAF (+ Bot Control, Fraud Control ATP/ACFP) and AWS Network Firewall with managed rule groups/prefix lists. AWS Documentation+3AWS Documentation+3AWS Documentation+3

4) Logging, detection & response: Evidence before alerts

CloudTrail: create organization, multi-Region trails + CloudTrail Lake for queries and long-term analysis. AWS Documentation+2AWS Documentation+2
Security Lake + OCSF: centralize logs (CloudTrail, VPC Flow, Route 53, WAF, EKS audit, third-party) into an OCSF lake for your SIEM/analytics. Recent 2025 updates improve org/Region rollups and SLR. Amazon Web Services, Inc.+2AWS Documentation+2
GuardDuty: enable all protection plans (EKS runtime, RDS, Lambda where applicable) across the org. AWS Documentation
Security Hub: turn on FSBP and relevant frameworks (CIS 3.0), use central configuration and watch 2025 control additions. AWS Documentation+2AWS Documentation+2
Detective: accelerated IAM role investigations even without CloudTrail role session data—handy for incident triage. AWS Documentation

5) Compute & container security: From build to runtime

EC2 & images

Enforce Block Public Access for AMIs and EBS snapshots account-wide. Amazon Web Services, Inc.+1
Nitro System isolation + Nitro Enclaves for sensitive workloads. Amazon Web Services, Inc.+1

Containers & EKS

Use ECR enhanced scanning (Inspector) at the registry; produce SBOMs (Inspector SBOM generator). AWS Documentation+2AWS Documentation+2
On EKS: prefer IAM Roles for Service Accounts (IRSA), consider EKS Pod Identity for easier/safer credential delivery; lock down network with SGs for pods and L7 policies. Repost
Enable GuardDuty EKS Runtime Monitoring and feed to Security Hub. AWS Documentation

Serverless

Turn on Inspector Lambda code scanning (finds data leaks, weak crypto, injection) and runtime dependency scanning. Amazon Web Services, Inc.+1

6) Access to private apps & internal APIs

AWS Verified Access for VPN-less, per-app access policies—combine identity (IdP) and device posture (Jamf/CrowdStrike) signals. Great step toward zero trust on AWS SaaS and internal apps. AWS Static+1
For microservice connectivity, VPC Lattice brings auth + traffic policy and observability across VPCs/accounts. AWS Documentation

30-Day Hardening Plan (checklist)

Week 1 – Identity & guardrails

Root MFA verified across all accounts (audit & fix). AWS Builder Center
Migrate admins to IAM Identity Center; enforce passkeys for privileged roles. Amazon Web Services, Inc.
Roll out baseline SCPs (block disabling CloudTrail/Config, restrict key IAM mutations). aws.permissions.cloud

Week 2 – Data & network exposure

Confirm S3 Block Public Access (account + bucket) and apply VPC endpoint policies + bucket policies with aws:SourceVpce. AWS Documentation+2AWS Documentation+2
Enable BPA for AMIs and EBS snapshots in every Region. Amazon Web Services, Inc.+1
Enforce TLS 1.2+ on edge endpoints/load balancers. AWS Documentation

Week 3 – Logging & detection

Organization trail (multi-Region) + CloudTrail Lake store and queries. AWS Documentation+1
Turn on Security Hub (FSBP, CIS 3.0), central config; integrate GuardDuty org-wide. AWS Documentation+1
Enable Security Lake (OCSF) with rollup Region. Amazon Web Services, Inc.

Week 4 – Workload hardening

ECR enhanced scanning + SBOMs; gate deploys on critical findings. AWS Documentation+1
EKS: adopt IRSA/Pod Identity, enable GuardDuty EKS runtime. Repost+1
Lambda: Inspector code scans; fix high/critical. Amazon Web Services, Inc.

Reference Implementations (snippets)

S3 bucket policy restricting access to a specific VPC endpoint

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AllowOnlyFromVpce",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::my-bucket",
      "arn:aws:s3:::my-bucket/*"
    ],
    "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-0123456789abcdef0" } }
  }]
}

(Combine with an endpoint policy on the gateway/interface endpoint for defense-in-depth.) AWS Documentation+1

Organization baseline (high-value SCP ideas)

Deny stopping/disabling CloudTrail/Config.
Deny iam:CreateAccessKey for root, enforce session MFA context on admin roles. aws.permissions.cloud

Service-by-Service Best Practices (2025 quick hits)

S3: BPA on, bucket policies tied to VPCe, Macie automated discovery, object ownership “Bucket owner enforced.” AWS Documentation+2AWS Documentation+2
KMS: customer-managed keys for regulated data; XKS/MR-keys where required. AWS Documentation+1
RDS/Aurora: at-rest + in-transit encryption, timely CA rotation. AWS Documentation+2AWS Documentation+2
CloudTrail: org trail + Lake; retain 1–7 years depending on regs. AWS Documentation+1
Security Lake: enable across accounts/Regions; use OCSF and rollup Regions. Amazon Web Services, Inc.+1
GuardDuty/Security Hub/Detective: all enabled; central configuration, actioned findings. AWS Documentation+1
ECR/EKS: enhanced scanning + SBOMs; IRSA/Pod Identity; runtime detection. AWS Documentation+3AWS Documentation+3AWS Documentation+3
Lambda: Inspector code scans, restrict outbound with VPC + egress controls. Amazon Web Services, Inc.
Edge: WAF managed rules, Bot Control, Fraud Control ATP/ACFP. AWS Documentation+2AWS Documentation+2
Access: Verified Access for private apps; Lattice for internal service auth. AWS Static+1

FAQ

Q1: Is S3 “secure by default” now that encryption is automatic?
Encryption helps, but exposure usually happens via misconfigured access. Keep Block Public Access on, use bucket/VPCe policies, and scan data with Macie. AWS Documentation+2AWS Documentation+2

Q2: Do I still need VPNs if I use Verified Access?
Often no. Verified Access evaluates identity + device posture on every request and enforces per-app policies—great ZTNA replacement for private web apps. Keep VPNs for non-HTTP or legacy flows. AWS Static

Q3: What’s the fastest path to organization-wide logging?
Create a CloudTrail organization trail (multi-Region) and add CloudTrail Lake for querying. Send findings into Security Lake (OCSF) to power analytics/SIEM. AWS Documentation+2AWS Documentation+2

Q4: How do I prevent accidental public sharing of images and backups?
Enable AMI Block Public Access and EBS Snapshot BPA in every Region; monitor with Security Hub. Amazon Web Services, Inc.+1

Q5: What’s new in Security Hub for 2025?
More controls, better central configuration, and active enhancements throughout 2025—enable FSBP and CIS 3.0 across the org and review the doc history for new checks. AWS Documentation+1

Q6: EKS auth: IRSA or Pod Identity?
IRSA remains the standard; EKS Pod Identity simplifies credential delivery and can reduce footguns. Use either to avoid node IAM creds and to scope least privilege per workload. Repost

Final word

Security isn’t about toggling a feature; it’s about removing entire classes of failure. In 2025 that means: identity that can’t be phished, defaults that block public paths, encryption you can prove, logs you can query, and automated guardrails that scale with your org.

If you want, I can turn this into a Control Tower + Terraform baseline with SCPs, org policies, and service-enablement you can deploy in under a day.

No post found!

AWS Security Best Practices: The 2025 Guide