Troubleshoot and audit access issues by using AWS services (for example, CloudTrail, IAM Access Analyzer, IAM policy simulator).
Validate service control policies (SCPs) and permissions boundaries.
Review AWS Trusted Advisor security checks.
Validate AWS Region and service selections based on compliance requirements.
Implement secure multi-account strategies (for example, AWS Control Tower, AWS Organizations).
Enforce a data classification scheme.
Create, manage, and protect encryption keys.
Implement encryption at rest (for example, AWS Key Management Service [AWS KMS]).
Implement encryption in transit (for example, AWS Certificate Manager [ACM], VPN).
Securely store secrets by using AWS services (for example, AWS Secrets Manager, Systems Manager Parameter Store).
Review reports or findings (for example, AWS Security Hub, Amazon GuardDuty, AWS Config, Amazon Inspector).
Configure a VPC (for example, subnets, route tables, network ACLs, security groups, NAT gateway, internet gateway).
Configure private connectivity (for example, Systems Manager Session Manager, VPC endpoints, VPC peering, VPN).
Configure AWS network protection services (for example, AWS WAF, AWS Shield).
Configure Route 53 hosted zones and records.
Implement Route 53 routing policies (for example, geolocation, geoproximity).