Skip to main content
emnode / learn
Learning path

Lock down access

Public S3, IAM hygiene, security groups and MFA: close the obvious doors.

18 lessons·~249 min total

Lessons in this path

  1. 1
    Compliance AWS

    Enable Cognito threat protection

    Security Hub Cognito.X — threat protection (formerly Advanced Security) blocks compromised credentials, anomalous logins, and bot attacks. Set enforcement to full.

    11 min
  2. 2
    Compliance AWS

    Block public access to AWS resources

    One capability across S3, EC2, RDS, snapshots, queues and topics: make sure nothing is reachable from, or shareable with, the public internet unless you genuinely intend it.

    14 min
  3. 3
    Compliance AWS

    Configure backups and retention

    One capability across databases, tables, streams, file systems and snapshots: make sure every data store can be recovered to a recent point, and that no backup is shared with the public internet.

    14 min
  4. 4
    Compliance AWS

    Harden security groups and restrict ingress

    One capability across EC2, RDS, Redshift and network ACLs: stop firewall rules from opening administrative and data-tier ports to the whole internet, and keep default and unused rules from accumulating.

    14 min
  5. 5
    Compliance AWS

    Enable deletion and termination protection

    One capability across CloudFormation, RDS, Aurora, DocumentDB, DynamoDB, ELB, ECS and Cognito: turn the irreversible one-step delete into a deliberate two-step action so a single mistyped command cannot wipe out production.

    14 min
  6. 6
    Compliance AWS

    Manage KMS encryption keys

    One capability across rotation, deletion protection, key-policy scope and decrypt permissions: keep the KMS keys that protect everything you encrypt rotating, recoverable, private and reachable only by the principals that genuinely need them.

    15 min
  7. 7
    Compliance AWS

    Rotate and remove stale IAM credentials

    One capability across IAM users, CodeBuild projects and Cognito pools: keep credentials short-lived, remove the ones nobody uses, enforce a strong password policy, and never leave a static key sitting in clear text.

    15 min
  8. 8
    Compliance AWS

    Enable MFA for root and IAM users

    One capability across the root user, IAM console and programmatic users, and Cognito user pools: make a stolen password or key useless on its own by requiring a second factor everywhere an identity can sign in.

    14 min
  9. 9
    Compliance AWS

    Enforce IAM least privilege

    One capability across IAM policy structure: grant each identity only the permissions it actually needs, attach them through groups and roles rather than directly, and keep wildcard and broad managed grants out of the estate.

    14 min
  10. 10
    Compliance AWS

    Enforce IMDSv2 on EC2

    One capability across running instances and the launch sources that create them: require the IMDSv2 session-token handshake everywhere so a server-side request forgery bug cannot read an instance's role credentials.

    13 min
  11. 11
    Compliance AWS

    Harden SageMaker and ML workloads

    One capability across SageMaker notebooks, models, processing jobs and endpoints: cut their network paths, drop their privileges and encrypt their traffic so a single compromised ML job cannot reach your data or your account.

    15 min
  12. 12
    Compliance AWS

    Protect APIs and edge with WAF

    One capability across AWS WAF and Network Firewall: make sure the firewalls in front of your APIs, load balancers and VPC traffic actually contain rules and are attached to the resources they are meant to protect, rather than being deployed in name only.

    14 min
  13. 13
    Compliance AWS

    Protect CloudFront distributions and origins

    One capability across the CloudFront edge: lock origins so the distribution is the only door, enforce strong HTTPS to viewers and origins, and turn on the logging, WAF and access controls that make a distribution genuinely hardened rather than merely working.

    14 min
  14. 14
    Compliance AWS

    Harden ECS container workloads

    One capability across ECS task definitions, services, task sets and clusters: drop the privileges, close the network paths, move secrets out of plaintext and turn on the logging so a single compromised container stays a contained incident.

    14 min
  15. 15
    Compliance AWS

    Disable insecure access modes and protocols

    One capability across IAM, EKS, Lambda, S3, Transfer Family and Transit Gateway: turn off the legacy access modes, open defaults and plaintext protocols that grant reach nobody deliberately intended.

    14 min
  16. 16
    Compliance AWS

    Require authentication on data and API services

    One capability across API Gateway, AppSync, MSK, ElastiCache and DMS: make sure every data and API service proves who is calling before it answers, rather than trusting the network or a shared secret.

    13 min
  17. 17
    Compliance AWS

    Manage secrets (rotation and hygiene)

    One capability across Secrets Manager and Kubernetes: keep credentials rotating on a schedule that actually succeeds, retire the secrets nobody uses, and make sure your stored secrets are genuinely encrypted rather than merely encoded.

    14 min
  18. 18
    Compliance AWS

    Harden resource and service-role policies

    One capability across IAM, CloudFormation and EventBridge: make sure the policies that grant permissions and govern shared resources are scoped on purpose, so a leak or a mistake cannot reach the whole account.

    13 min