Cloud Security

Hardening a New AWS Account in 2 Hours (Runbook)

Manish Garg
Manish Garg Associate CISSP · RingSafe
April 19, 2026
4 min read

This is the runbook we use for hardening a new AWS account from default state to production-defensible posture in about 2 hours of focused work. It skips academic discussion and goes directly to the commands, the policies, and the configuration choices. Use it on day-1 of any new AWS account; apply retroactively to existing accounts that have never been hardened. The numbered steps are the order we execute them — each step is prerequisite-safe from the preceding one.

Prerequisites

  • AWS CLI installed and configured with break-glass root credentials (or equivalent admin access)
  • Hardware MFA device available for the root user
  • An email distribution list or shared inbox for the root account — NOT an individual’s personal email
  • A separate AWS account for centralized logging (ideally within an AWS Organization)

Step 1 — Secure the root account (15 minutes)

  1. Log in as root, confirm email and password
  2. Enable MFA with a hardware token — not virtual MFA on a phone
  3. Delete any access keys the root user has
  4. Update root account contact information — security contact, operations contact, billing contact all set to monitored distribution lists
  5. Set an unguessable strong password stored in a credential vault; lock the vault item behind organization-specific access controls
  6. Logout; do not use root again unless a root-only operation is required

Step 2 — Enable billing alerts (5 minutes)

# In Billing console, enable "Receive Billing Alerts" and
# "Receive Free Tier Usage Alerts"

# Create CloudWatch alarm for unusual spending
aws cloudwatch put-metric-alarm \
  --alarm-name "BillingHigh" \
  --alarm-description "Alert when monthly charges exceed threshold" \
  --metric-name EstimatedCharges \
  --namespace AWS/Billing \
  --statistic Maximum \
  --period 86400 \
  --evaluation-periods 1 \
  --threshold 500 \
  --comparison-operator GreaterThanThreshold \
  --dimensions Name=Currency,Value=USD \
  --region us-east-1 \
  --alarm-actions <SNS topic ARN for ops alerts>

Step 3 — Enable logging in all regions (10 minutes)

# Enable CloudTrail with organization-wide trail to centralized logging account
aws cloudtrail create-trail \
  --name org-audit-trail \
  --s3-bucket-name <logging-bucket-in-central-account> \
  --is-multi-region-trail \
  --is-organization-trail \
  --enable-log-file-validation

aws cloudtrail start-logging --name org-audit-trail

# Enable AWS Config in all regions
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  aws configservice put-configuration-recorder \
    --configuration-recorder name=default,roleARN=<config-role-arn>,recordingGroup='{allSupported=true,includeGlobalResourceTypes=true}' \
    --region $region
  aws configservice start-configuration-recorder \
    --configuration-recorder-name default \
    --region $region
done

Step 4 — Enable security services (10 minutes)

# GuardDuty in every region
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  aws guardduty create-detector --enable --region $region
done

# Security Hub with foundational standards
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  aws securityhub enable-security-hub \
    --enable-default-standards \
    --region $region
done

# Enable AWS Config Conformance Pack for CIS AWS Foundations
aws configservice put-conformance-pack \
  --conformance-pack-name CIS-AWS-Foundations \
  --template-s3-uri s3://aws-config-conformance-packs/Operational-Best-Practices-for-CIS-v1.4.yaml

Step 5 — Block public access defaults (5 minutes)

# S3 account-level Block Public Access
aws s3control put-public-access-block \
  --account-id <account-id> \
  --public-access-block-configuration \
    BlockPublicAcls=true,IgnorePublicAcls=true,\
BlockPublicPolicy=true,RestrictPublicBuckets=true

# EBS encryption default
aws ec2 enable-ebs-encryption-by-default --region us-east-1
# (repeat for all used regions)

# Default ABAC policy for resource creation
aws ec2 modify-ebs-default-kms-key-id \
  --kms-key-id alias/aws/ebs \
  --region us-east-1

Step 6 — Set up IAM Identity Center or federated access (30 minutes)

If using AWS Organizations with IAM Identity Center:

  1. Enable IAM Identity Center in the management account
  2. Connect your identity provider (Okta, Google Workspace, Azure AD)
  3. Create permission sets: AdministratorAccess (break-glass), PowerUserAccess (engineers), ReadOnlyAccess (observers), BillingFullAccess (finance)
  4. Assign users/groups to accounts with appropriate permission sets
  5. Configure session duration: 1 hour for admin, 8 hours for read-only

Alternative: OIDC federation from your IdP directly to IAM roles in each account.

Step 7 — Password policy (2 minutes)

aws iam update-account-password-policy \
  --minimum-password-length 14 \
  --require-symbols \
  --require-numbers \
  --require-uppercase-characters \
  --require-lowercase-characters \
  --allow-users-to-change-password \
  --max-password-age 90 \
  --password-reuse-prevention 24 \
  --hard-expiry

Step 8 — Default VPC hardening (10 minutes)

# Delete default VPC in every region (most organizations should use custom VPCs)
# Or if keeping, at minimum:
# - Remove default security group rules allowing all traffic
# - Enable VPC Flow Logs

# Example: enable flow logs on default VPC
aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" \
  --query 'Vpcs[].VpcId' --output text | \
xargs -I{} aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids {} \
  --traffic-type ALL \
  --log-destination-type s3 \
  --log-destination <s3-arn-for-flow-logs>

Step 9 — Service Control Policies (if AWS Organizations) (10 minutes)

Attach SCPs preventing the most dangerous mistakes. Minimum recommended:

  • Deny cloudtrail:Stop*, cloudtrail:Delete* — no one can disable logging
  • Deny guardduty:Delete*, guardduty:Disable* — GuardDuty cannot be disabled
  • Deny config:Delete*, config:Stop* — Config cannot be stopped
  • Deny iam:CreateUser — force federated access only, except for specific service-account cases
  • Deny creation of resources outside approved regions (typically ap-south-1 for India-focused businesses plus one disaster-recovery region)

Step 10 — Documentation (15 minutes)

Everything you just did needs to be documented:

  • Account ownership and contact information
  • MFA device location and backup
  • Break-glass credentials storage and access process
  • Monitoring alarms and their intended response
  • Service Control Policies attached

Verification

Run Prowler against the account; it covers CIS Benchmarks and most of the above. Any failures are gaps to close.

Related reading

For AWS Landing Zone setup or hardening of existing accounts, book a scoping call.

More from the Blog

Threat Modeling for Multi-Tenant SaaS: The Isolation Boundary Problem

Multi-tenancy is not a security feature. It is an architectural choice with security consequences.…

Apr 20, 2026 · 7 min
Module 1 · Beginner

Module 1 · The Shared Responsibility Illusion <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Cloud providers secure infrastructure; customers secure configuration. Every breach happens on customer side.

Apr 22, 2026 · 3 min
Module 3 · Intermediate

Module 3 · Infrastructure-as-Code Security <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Checkov, Trivy, kube-score. Terraform issue categories, Kubernetes hardening, Dockerfile patterns, Kyverno/OPA policies.

Apr 22, 2026 · 5 min