News

Fortifying Your Cloud: Essential AWS Security Strategies from an Expert Cloud Strategist

• By David Ramel
• 05/30/2025

In the ever-evolving landscape of cloud computing, maintaining robust data security in Amazon Web Services (AWS) is paramount. Cloud consultant and AWS-Certified DevOps Professional Carlos Rivas recently shared his insights on critical security measures during a comprehensive online summit put on by AWSInsider, offering practical tips and real-world strategies for a more secure and cost-optimized AWS environment.

For IT security pros navigating the complexities of cloud security, Rivas's presentation distilled essential practices into actionable advice, emphasizing that effective security isn't just about protection, but also about smart resource management.

Rivas, a seasoned consultant and AWS instructor, led the "Data Security in AWS: Tips, Tricks and Real-World Strategies" virtual summit, covering a wide range of topics from IAM roles to container security, in his session, "AWS Security Must-Dos." While the presentation spanned more than 50 minutes, several strategic takeaways stood out for their immediate value and ease of implementation. Here are just three of many that you can apply right away.

Proactive Cost Management and Security Through Billing Alarms
One of the immediate "quick wins" Rivas emphasized in his session is setting up AWS billing alarms and forecasts. While seemingly a cost-optimization strategy, Rivas explained how this practice directly contributes to security by enabling early detection of unusual activity.

"If your AWS bill is usually hovering around $2,000-$3,000 a month, you want to set up an alarm that tells you, 'hey, you know you're approaching 80% of your monthly target,' so that you know something is going on." He illustrated this with an example of forgetting to turn off a resource, which can quickly escalate costs and signal potential unauthorized or misconfigured deployments. Rivas highlighted that AWS provides forecasts based on running services, allowing users to be alerted "ahead of time so that we can take any necessary corrective actions" if a forecast is projected to exceed a set target. This proactive monitoring helps avoid "bill shock" and ensures resource accountability, a subtle yet significant security layer.

Centralized Security with Multi-Factor Authentication and Service Control Policies
Rivas underscored the importance of foundational security practices within AWS Organizations, particularly focusing on Multi-Factor Authentication (MFA) for root users and the strategic use of Service Control Policies (SCPs).

He stressed that setting up MFA for the root user is one of the very first and most critical steps upon logging into AWS. A key practical tip Rivas shared was to take a picture of the MFA QR code for quick recovery in emergencies or to set up multiple devices, which AWS now supports. This simple step adds a crucial layer of defense against unauthorized access.

Beyond individual account security, Rivas advocated for blocking regions and specific services using SCPs at the AWS Organization level. This is vital not only for security but also for "compliance and legal requirements" to ensure sensitive data does not reside in unintended geographical locations. He demonstrated how SCPs can deny services in specific regions, preventing attackers from deploying concealed servers outside of your monitored areas. Furthermore, SCPs can limit users to services relevant to the business, helping to "keep costs in checks" and avoid accidental deployment of expensive resources like certain AI services. Rivas emphasized that SCPs override full administrator access, making them a powerful control mechanism.

Enhancing Visibility and Automation with AWS Security Hub
For organizations managing multiple AWS accounts, Rivas highlighted the indispensable role of AWS Security Hub as a centralized security management tool.

Security Hub "will collect and aggregate all the data from all your accounts," providing a unified view of security events and findings. Rivas praised its ability to enable compliance packs, which automatically check against best practices and help prioritize findings. This centralized approach eliminates the need to log into individual accounts to monitor security posture, significantly streamlining operations and ensuring consistent application of security standards across the entire organization. By offering automatic checks against best practices and the ability to prioritize findings, Security Hub becomes a cornerstone for maintaining a robust and compliant security posture in complex AWS environments.

And Much More
Those are all concise summaries, of course, and you need to watch the on-demand replay to ge the individual items fleshed out in detail -- along with many other actionable tips -- but this gives you the overall idea of Rivas' presentation.

And, although replays are fine -- this was just today, after all, so timeliness isn't an issue -- there are benefits of attending such summits and webcasts from us and sister pubs like Virtualization & Cloud Review in person. Paramount among these is the ability to ask questions of the presenters, a rare chance to get one-on-one advice from bona fide subject matter experts (not to mention the chance to win free prizes -- in this case a $300 Best Buy Gift Card provided by sponsor Wiz, a leader in cloud security, which also presented at the summit).