News
AWS Expert Outlines Five Strategies to Mitigate Cloud Security Risk
Cloud security has become a critical concern for organizations as they migrate data and services to the cloud. According to Check Point's 2025 Cloud Security Report, 65 percent of organizations experienced a cloud-related security incident in the past year, yet only 9 percent detected it within the first hour and just 6 percent remediated it that quickly, underscoring the need for faster detection and response.
To help educate IT security-conscious pros about this, AWS Insider today held The Essentials of AWS Data Security summit that featured a session titled "The AWS Risk Reduction Blueprint," presented by AWS-certified DevOps professional Carlos Rivas. In his wide-ranging talk, Rivas emphasized the constant security challenges faced by organizations using Amazon Web Services (AWS), while laying out a structured approach to risk management.
"In short, you're always kind of exposed out there when you're using the cloud. So there's always a good opportunity to improve security, and that's why we're here today."
Carlos Rivas, Sr. Solutions Architect
The presentation, sponsored by Rubrik, focused on AWS' shared responsibility model, practical tools, and architectural best practices. A central slide from Rivas' deck highlighted five strategies to assess and mitigate cloud risks. Each became a springboard for deeper discussion, making them a natural framework for IT teams looking to strengthen their AWS environments.
[Click on image for larger view.] 5 Strategies to Assess and Mitigate Cloud Risks (source: Carlos Rivas).
Follow the Shared Responsibility Model
Rivas began by underscoring AWS' shared responsibility model, which clarifies what AWS secures versus what the customer must handle. AWS provides the physical security of cloud infrastructure, but customers must secure operating systems, applications, and configurations.
"If you have a server or an S3 bucket, and you have that open to the world, then you can't really blame AWS for that misconfiguration," he explained. Missteps like leaving ports exposed or disabling encryption remain among the top causes of breaches. He urged IT teams to lock down root accounts with multi-factor authentication (MFA), limit root account use to billing functions, and enforce least-privilege access policies.
Build a Cloud Risk Adoption Framework
To move beyond ad hoc measures, Rivas recommended developing a formal framework to adopt cloud risk practices. While AWS does not prescribe a single model, organizations can use the AWS Well-Architected Framework as a guide. The framework includes a security pillar with best practices that Rivas described as a "blueprint" for structured risk assessment.
He emphasized that the framework is high-level and industry-agnostic, meaning teams may need to adapt it for sector-specific regulations such as HIPAA or PCI DSS. Even so, he said that applying its principles leaves organizations "well off than when you started, even though... there's not going to be [guidance] specific to your industry."
Perform a Cloud Security Assessment
Another recurring theme was the need for continuous security assessments. Rivas highlighted AWS Config as a critical tool for validating environments against compliance requirements. The service can flag unencrypted volumes, insecure network connections, or noncompliant resources in real time.
"If you have... a data volume that is not encrypted, you will get an alert saying, hey, you're out of compliance," he explained. For organizations subject to standards like PCI DSS, Config provides predefined rule packs to accelerate adoption.
Assessments should also include identity practices. Rivas cautioned against overusing administrator rights, urging fine-grained policies and mandatory MFA for all users. He added that organizations should conduct regular permission audits to align with evolving needs.
Use Tools and Services
Rivas devoted significant time to AWS-native tools that help monitor and respond to risks. Among those mentioned were:
These services often work best in concert. For example, GuardDuty findings can trigger automated responses through AWS Lambda, with alerts routed via EventBridge and Simple Notification Service (SNS). "That's the closest to real time that we have in AWS," Rivas noted.
Continuously Monitor and Assess Risks
Finally, Rivas urged teams to treat monitoring as an ongoing process, not a one-off exercise. Tools like CloudWatch, VPC Flow Logs, and Security Hub dashboards can surface misconfigurations, anomalous traffic, or compliance drift. But he cautioned against trying to parse raw logs directly, calling them "a very overwhelming amount of data." Instead, organizations should use dashboards such as Grafana for visualization.
"If somebody is moving an abnormal amount of data, it will rise to the top in this dashboard, and you'll be able to see it right away," he said.
He also reinforced the importance of planning for the inevitable. Disaster recovery should be part of continuous assessment, whether through simple backup-and-restore setups or more advanced multi-site deployments.
And Much More
All of the above is just part of Rivas' full presentation, of course, and you need to watch the on-demand replay to get the individual items fleshed out in detail -- along with many other actionable tips -- but this gives you the overall idea of his presentation.
And, although replays are fine -- this was just today, after all, so timeliness isn't an issue -- there are benefits of attending such summits and webcasts from AWS Insider and sister pubs in person. Paramount among these is the ability to ask questions of the presenters, a rare chance to get one-on-one advice from bona fide subject matter experts (not to mention the chance to win free prizes provided by sponsors such as Rubrik, which also presented a session at the summit).
With all that in mind, here are some upcoming summits and webcasts coming up in remainder of September from our parent company:
About the Author
David Ramel is an editor and writer at Converge 360.