AWS infrastructure security review process. Use when reviewing IAM policies and roles, auditing S3 bucket configurations, securing Lambda functions, reviewing CloudFormation/CDK/Terraform, or configuring VPC and security groups. Also use when IAM policies use wildcards, S3 buckets might be public, Lambda has broad permissions, security groups allow 0.0.0.0/0, or secrets appear in environment variables. Essential for KMS encryption, Secrets Manager, least privilege, and AWS security scanning with Prowler or Checkov.
AWS's shared responsibility model means security is YOUR job, not Amazon's. This skill guides systematic review of AWS infrastructure for security misconfigurations—the #1 cause of cloud breaches.
Core principle: Default deny everything. AWS resources should have no access unless explicitly granted, no network exposure unless required, and no permissions beyond the minimum needed.
IAM is the foundation. Start here:
Review Permission Scope
Check for Privilege Escalation Paths
Verify Least Privilege
Then verify network isolation:
Security Groups
VPC Design
Public Exposure
Finally, verify data security:
Encryption
Secrets Management
// ❌ CRITICAL: Full admin
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
// ❌ HIGH: IAM modification (privilege escalation)
{
"Action": ["iam:*", "iam:CreateRole", "iam:AttachRolePolicy"]
}
// ❌ HIGH: No resource restriction
{
"Action": "s3:*",
"Resource": "*" // Should be specific bucket ARN
}
// ❌ MEDIUM: No conditions
{
"Action": "s3:GetObject"
// Missing: Condition for IP, MFA, time bounds
}
// ❌ CRITICAL: Public bucket
{
"Effect": "Allow",
"Principal": "*", // Anyone on internet!
"Action": "s3:GetObject"
}
// ❌ HIGH: Missing encryption
// (No ServerSideEncryptionConfiguration)
// ❌ HIGH: No public access block
// (PublicAccessBlockConfiguration missing or false)
# ❌ CRITICAL: SSH from anywhere
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
# ❌ CRITICAL: All ports open
- IpProtocol: -1
CidrIp: 0.0.0.0/0
# ❌ HIGH: RDS publicly accessible
PubliclyAccessible: true
# ❌ HIGH: Hardcoded secrets
Environment:
Variables:
API_KEY: "sk-live-actual-secret-key"
# ❌ HIGH: Broad permissions
Policies:
- AmazonS3FullAccess # Should be specific bucket
# ❌ MEDIUM: No VPC (if accessing private resources)
# Missing VpcConfig
| Excuse | Reality |
|---|---|
| "It's only internal" | VPCs get compromised. Defense in depth. |
| "We'll lock it down later" | Later never comes. Secure from day one. |
| "The app needs those permissions" | No app needs *. Find exact permissions. |
| "Public bucket is intentional" | Use CloudFront + OAI. Never direct S3. |
| "SSH access is for debugging" | Use SSM Session Manager. No SSH needed. |
| "Secrets are encrypted in Lambda" | They're visible in console. Use Secrets Manager. |
Before approving AWS infrastructure:
IAM:
Action: "*" or Resource: "*"S3:
Network:
Compute:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadWrite",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-specific-bucket/*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "123456789012"
},
"IpAddress": {
"aws:SourceIp": ["10.0.0.0/8"]
}
}
}
]
}
SecureBucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: !Ref KMSKey
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
VersioningConfiguration:
Status: Enabled
LoggingConfiguration:
DestinationBucketName: !Ref LoggingBucket
AppSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow only from ALB
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
SourceSecurityGroupId: !Ref ALBSecurityGroup
# AWS native tools
aws iam get-credential-report
aws s3api get-bucket-policy-status --bucket BUCKET
aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]]'
# Third-party scanners
prowler aws # Comprehensive AWS audit
checkov -f template.yaml # IaC scanning
cfn-lint template.yaml # CloudFormation linting
tfsec . # Terraform scanning
Detailed patterns and examples in references/:
iam-patterns.md - Advanced IAM patterns and conditionsnetwork-security.md - VPC and security group patternsencryption.md - KMS and encryption patterns