Security Checklist for New AWS Accounts

After helping dozens of organizations stand up their first AWS accounts, the same question always comes up: "Where do we start with security?" This is the checklist we walk through with every new client. It covers the steps that matter most in the first 48 hours.

One note before we start: if you're setting up a multi-account environment, use AWS Control Tower. It automates most of what's listed below across your entire organization. If you're working with a single account or Control Tower isn't an option, follow these steps manually.

1. Lock Down the Root Account

The root account has unrestricted access to everything. Treat it like a break-glass credential.

• Enable MFA immediately. Use a hardware key (YubiKey) if possible. A virtual MFA app is the minimum.
• Create a strong, unique password and store it in a secrets manager or physical safe — not a shared spreadsheet.
• Do not use root for daily operations. After initial setup, root should only be used for the handful of tasks that require it (changing account settings, closing the account, etc.).
• Set up alternate contacts for billing, operations, and security so notifications reach the right people.

2. Set Up IAM Identity Center (or IAM Users)

If you're using AWS Organizations, set up IAM Identity Center (formerly SSO) — it's the modern approach and integrates with your existing identity provider.

For standalone accounts:

• Create an IAM admin user for daily operations instead of using root.
• Require MFA for all IAM users. No exceptions. Use a conditional IAM policy to deny actions until MFA is authenticated.
• Create groups by role — admin, developer, readonly — and assign permissions to groups, not individual users.
• Follow least privilege. Start with minimal permissions and add access as needed. AWS Access Analyzer can help identify unused permissions to remove later.

3. Enable Logging and Detection

These services should be active in every account from day one. They're your audit trail and your early warning system.

• AWS CloudTrail — Enable in all regions, not just the one you're working in. Attackers often operate in regions you're not watching. Send logs to a dedicated S3 bucket with versioning and MFA delete enabled.
• AWS Config — Turn on resource tracking so you have a record of every configuration change. Use Config rules to flag non-compliant resources automatically.
• Amazon GuardDuty — Enable threat detection. It analyzes CloudTrail, VPC Flow Logs, and DNS logs for suspicious activity. There's no configuration to maintain — just turn it on.
• S3 default encryption — Enable default encryption (SSE-S3 or SSE-KMS) for all new S3 buckets. Block public access at the account level unless you have an explicit reason not to.

4. Set Billing Guardrails

Unexpected AWS bills are one of the most common problems in new accounts — and sometimes the first sign of compromised credentials.

• Create a billing budget with alerts at 50%, 80%, and 100% of your expected spend. AWS Budgets can notify via email or SNS.
• Enable Cost Explorer so you can see what's generating charges.
• Set up a billing alarm in CloudWatch as a backup notification channel.
• Review the Free Tier usage dashboard regularly if you're in your first 12 months.

5. Establish Network Baselines

Even if you're not deploying workloads yet, get the network foundations right.

• Create a VPC with private subnets for any resources that don't need direct internet access. Use NAT gateways for outbound traffic from private subnets.
• Restrict security groups by default. Don't allow 0.0.0.0/0 inbound on any port. Be specific about source IPs and ports.
• Enable VPC Flow Logs and send them to CloudWatch Logs or S3. They're essential for incident investigation and compliance evidence.
• Remove default VPC resources you're not using. The default VPC has permissive settings that don't match most security requirements.

What Comes Next

This checklist covers the first 48 hours. After that, you'll want to look at SCPs (Service Control Policies) if you're using Organizations, set up centralized logging, establish a tagging strategy, and define your backup and retention policies.

If you want help getting your AWS environment set up correctly from the start — or you want us to review what you already have — reach out to our team. We do this regularly and can usually complete a baseline security setup in a few days.