dmshpak - stock.adobe.com

Feature

What are the best practices for securing AWS tech stacks?

An AWS tech stack can aid business growth and facilitate efficient operations, but misconfigurations have become all too common and stall this progress

Nicholas Fearn
By
Published: 27 May 2025

Amazon Web Services (AWS) has become the lifeblood of millions of modern businesses, both big and small. But while this popular cloud platform enables them to manage and scale their operations with impressive speed, simplicity and affordability, it also represents a significant security and privacy risk if mismanaged by users.

An insecure or improperly configured AWS tech stack provides a gateway for cyber criminals to enter corporate systems and sensitive files. The biggest example of this occurred in 2019, when an ex-Amazon employee stole the data of 100 million Capital One customers simply by exploiting a misconfigured web application firewall in the financial service giant’s AWS tech stack. 

The incident ended with a high-profile lawsuit in which the financial services giant had to pay a $190m (£140m) settlement to affected customers. Other big businesses impacted by similar incidents include Accenture, Facebook, LinkedIn, Pegasus Airlines, Uber and Twilio. So, what can organisations do to secure their AWS tech stacks?

One of the biggest risks of an insecure AWS tech stack is data theft and exfiltration by cyber criminals, according to Rik Turner, chief cyber security analyst at Omdia. He explains this can happen when S3 buckets, which contain large volumes of files and sensitive metadata, aren’t set up properly. 

As a result, S3 bucket access rights can be granted to employees who don’t require them for their roles, leading to insider threats. Or, worse, these crucial storage objects can end up on the public internet for anyone to access and abuse.

Sensitive corporate and customer data exposed in this way can lead to businesses experiencing “enormous financial losses”, says Sylvester Kaczmarek, a professor at online higher education provider the Open Institute of Technology. Their finances take a hit through regulatory fines, customer lawsuits and expensive recovery efforts that can last for months. Reputational damage is often substantial, too.

Additionally, weak or reused user credentials, the absence of cyber security logging and monitoring capabilities, and weaknesses in cyber defences like firewalls leave AWS tech stacks dangerously exposed to data breaches, he adds. 

Read more about AWS security

  • Aqua Security researchers discovered AWS Cloud Development Kit is susceptible to an attack vector the vendor refers to as ‘shadows resources’, which can put accounts at risk.
  • In the wake of the January 2025 ‘Codefinger’ attacks against AWS S3 users, Thales Rob Elliss argues that many organisations are dropping the ball when it comes to their understanding of cloud security best practice.
  • AWS Security Incident Response, which launched ahead of the re:Invent 2024 conference this week, can automatically triage and remediate events detected in Amazon GuardDuty.

Data breaches can also stem from poorly secured Relational Database Service databases, Elastic Compute Cloud (EC2) instances and application programming interfaces, explains Bob McCarter, chief technology officer of risk and compliance software provider Navex. Erroneous identity and access management policies, a lack of multi-factor authentication, unpatched software and open ports are common security issues affecting these AWS services.

Besides costly data breaches, the day-to-day operations of modern businesses can grind to a halt in the aftermath of an EC2 instance compromise. The latter results in “impaired performance”, and even “a complete malfunctioning” of critical applications and workloads, explains Turner.

These issues are largely the product of mistakes made by AWS users and not cyber attacks targeted at Amazon, according to Neil MacDonald, vice-president and distinguished analyst at Gartner. But he emphasises that mistakes can easily happen due to the “sheer size, complexity and rate of change of AWS deployments”, adding that they are “impossible” to monitor without using appropriate security tools from AWS or other technology companies.

It is, therefore, the responsibility of AWS users to take steps to protect the data they upload to AWS cloud resources. This is enshrined in the cloud security shared responsibility model, with the responsibility of cloud companies like AWS being to secure the infrastructure they sell to customers.

Best practices to secure AWS tech stacks 

When it comes to securing AWS tech stacks, many effective best practices are laid out in the AWS Well-Architected framework. McCarter explains that it offers a comprehensive guide for access management, infrastructure management, data privacy, application security, and cyber threat monitoring and detection.

Crystal Morin, cyber security strategist at cloud security company Sysdig, is another vocal supporter of this framework. She says it’s great for handling the prevention, protection, detection and response sides of cyber security. “This model helps you think through how to prevent problems in the first place, ensure your workloads have security in place, and then have the right tools in place to detect and respond to cloud security threats if and when they do take place,” says Morin.

As well as adhering to AWS’s own security best practices, MacDonald points out that the Center for Internet Security also offers advice for creating and maintaining a secure AWS tech stack. He adds that many modern cyber security tools are aligned with the latest AWS best practices, whether provided by Amazon or an outside organisation. 

Given that lots of AWS-related security incidents are caused by inadequate access controls, Jake Moore – global cyber security advisor at antivirus maker ESET – urges organisations to implement the principle of least privilege to ensure access rights are limited to those who require them for their roles. This should be enforced as part of a wider identity and access management strategy. 

Of course, staff hiring, attrition and promotion can make it difficult to manage AWS access controls. Still, Moore says businesses can use cyber security monitoring tools to track these changes and ensure access controls are amended accordingly, minimising security incidents. In addition to investing in these tools, he urges organisations with AWS stacks to regularly audit their cyber security posture to ensure security gaps are identified and closed swiftly. Automated analysis tools can help with this. 

To ensure cyber criminals can’t steal sensitive data stored on and travelling between AWS servers, OPIT’s Kaczmarek says organisations must encrypt data when it’s at rest and in transit. Utilising the AWS Key Management service will help protect data at rest. Meanwhile, tight network security configurations are the key to securing transit data and wider network traffic. These should apply for virtual private clouds, Security Groups and Network Access Control Lists, according to Kaczmarek. 

Organisations operating AWS tech stacks can log all network traffic using AWS CloudTrail and monitor it using AWS CloudWatch, says Kaczmarek. He adds that these efforts can be complemented by using multi-factor authentication, implementing security patches when they’re issued and replacing manual processes with infrastructure as code. The previous step is paramount for “consistency and auditing”, he claims. 

Proactive security is vital

Many organisations don’t solely use AWS tech stacks, though. Their AWS deployments often form part of a wider, multi-faceted cloud environment comprising systems and tools from different tech companies. 

And when one is breached, a domino effect may soon follow. With this in mind, Morin says organisations should create an inventory of every cloud asset to identify which are secure by default and which need extra cyber protections. 

Because new cloud security threats are constantly emerging, Morin is a strong advocate of a proactive cyber security approach. To do this, organisations can invest in vulnerability management services that will identify any security anomalies affecting their AWS and wider tech stacks. 

Admitting that such products can potentially result in an avalanche of security vulnerabilities to comprehend, she says another option is to invest in a runtime security service. “Runtime security allows you to concentrate on the most pressing issues that are running in production” she says.

AWS does, however, provide an extensive suite of security tools to help its users shield their cloud environments from cyber incidents. Amazon Inspector covers configuration detection and vulnerability management. Amazon GuardDuty offers security monitoring. AWS CloudTrail is an audit logging service. AWS IAM Access Analyzer is used for managing identities and permissions. AWS Security Hub provides cloud security posture management. Amazon Macie uses machine learning to monitor sensitive data.

Challenges to overcome

Although AWS has plenty of tools and resources to simplify cloud security, implementing an effective AWS security strategy isn’t always easy. For starters, many organisations operate multi-cloud IT environments. They may also have on-premise infrastructure. And, as MacDonald notes, AWS tech stacks don’t always play nicely with third-party IT systems. “While AWS helps them on AWS, its security and compliance offerings are not multi-cloud and aren’t designed to protect on-premise workloads,” he says.

Along with a lack of interoperability, AWS’s large number of products also have different security configurations. McCarter says it’s hard for cyber security teams to understand and manage all of them effectively. Therefore, he urges business leaders to invest in regular AWS training so that their IT and security teams can keep up with AWS’s fast-expanding service offerings. 

Voicing similar concerns, Kaczmarek says the complex nature of AWS services means organisations need to “foster a culture of continuous learning and security awareness”. Having the right cyber security expertise in-house is vital here, but Kaczmarek acknowledges that finding and retaining the right talent in such a competitive marketplace can be difficult. 

For Turner at Omdia, a notable challenge of securing an AWS tech stack is data egress costs that result from transferring AWS-hosted data to a third-party system for analysing potential cyber security risks. He adds that these costs can grow substantially for organisations that need to transfer large telemetry datasets to external systems, such as an on-premise security information and event management system. 

Meanwhile, ESET’s Moore argues that organisations planning to grow their AWS tech stacks are more susceptible to making security mistakes and misconfigurations. And while AWS is well known for issuing prompt software updates and security patches, he questions whether the cloud security giant can keep pace with emerging cyber security threats like AI-fuelled attacks. “It is vital that users are trained accordingly to spot anomalies,” says Moore.

AWS-powered tech stacks can be a powerful tool for businesses looking to maintain efficient operations and scale their business. But what’s clear is that they’re only truly effective if they are configured correctly, with proactive cyber security risk management – a shared responsibility between AWS and its customers. 

Otherwise, businesses are at greater risk of serious data breaches and cyber attacks that give rise to fines, expensive clean-up operations, a loss of customer trust and a complete breakdown in operations. It doesn’t have to be hard – simple best practices like limiting access privileges, creating cloud system inventories and training staff on cyber security issues are a good place to start. 

Read more on Cloud security