Policy-defined guardrails
Querying logs in Amazon S3 for contextual information related to security events (for example, by using Athena)
Creating hardened EC2 AMIs
Resource policies (for example, for DynamoDB, Amazon S3, and AWS Key Management Service [AWS KMS])
Setting up automated tools and scripts to perform regular audits (for example, by creating custom insights in Security Hub)
AWS cost and usage for anomaly identification
Establishing identity through an authentication system, based on requirements
Implementing credential invalidation and rotation strategies in response to compromises (for example, by using AWS Identity and Access Management [IAM] and AWS Secrets Manager)
Centralized management, deployment, and versioning of AWS services
IAM instance roles and IAM service roles
Implementing log storage and lifecycle management according to AWS best practices and organizational requirements
Designing automatic lifecycle management for AWS services and resources (for example, Amazon S3, EBS volume snapshots, RDS volume snapshots, AMIs, container images, CloudWatch log groups, Amazon Data Lifecycle Manager)
Log analysis features of AWS services (for example, CloudWatch Logs Insights, CloudTrail Insights, Security Hub insights)
Best practices for tagging
Organizing AWS resources into different groups for management