What each control does, why it’s there, and what security benefit it provides.
| Control |
What it does |
Why / benefit |
| CloudTrail (multi-region) |
Records API and console activity across all regions. |
Single place to investigate who did what and when; required for many compliance and incident-response scenarios. |
| Log file validation |
Ensures CloudTrail log files have not been modified. |
Detects tampering with the audit trail. |
| KMS for logs |
Encrypts CloudTrail and CloudWatch log data with a customer-managed key. |
You control the key and access; log data is protected at rest. |
| S3 bucket policy |
Restricts write access to CloudTrail and denies non-HTTPS. |
Only CloudTrail can write; traffic to the bucket must be TLS. |
| Metric filters and alarms |
Root usage, console without MFA, unauthorized calls, IAM changes → SNS. |
Fast signal for high-risk events without scanning logs manually. |
| Control |
What it does |
Why / benefit |
| Password policy |
Enforces length, complexity, reuse, and max age for IAM user passwords. |
Reduces risk of weak or stale passwords when IAM users are still used (e.g. break-glass). |
| Break-glass admin |
Role with full admin, MFA required, 1h session. |
Emergencies only; no standing full-admin access; session time-bounded. |
| Operator role |
PowerUser with deny policy on CloudTrail and CloudTrail S3. |
Day-to-day work without ability to delete or stop the trail or delete audit logs. |
| Read-only role |
ReadOnlyAccess, no MFA condition. |
Safe for automation and read-only tooling; no write or delete. |
| Control |
What it does |
Why / benefit |
| Default SG deny-all |
No ingress or egress rules on the VPC default security group. |
Resources accidentally attached to the default SG get no network access. |
| VPC flow logs (optional) |
Sends flow logs to CloudWatch. |
Visibility into allowed/denied traffic for detection and forensics. |
| Control |
What it does |
Why / benefit |
| GuardDuty |
Managed threat detection (S3, EBS, etc.). |
Detects malicious activity and suspicious behavior with minimal operational overhead. |
| AWS Config (optional) |
Records configuration and evaluates rules (e.g. CloudTrail on, root MFA, S3 public access blocks). |
Supports compliance and configuration drift detection. |
| Budgets |
Alerts at 80% and 100% of monthly budget to admin_email. |
Reduces risk of unexpected cost from misuse or compromise. |
Security scanning (e.g. Checkov) may report findings that are explicitly accepted in v1 and documented:
- S3 access logging / event notifications / replication — Deferred to v2 (separate logging bucket, multi-account).
- AdministratorAccess on break-glass — Intentional; access is MFA-gated and time-limited.
See BUILD_CHECKLIST.md and inline comments for the full list of documented skips.