Cloud Security on a $0 Budget: Hardening AWS from IAM to Kubernetes
You're running EC2 instances with IMDSv1 wide open. Your S3 buckets have ACLs enabled "just in case." Half your Lambda functions share one execution role with * permissions. Your EKS cluster has no Pod Security Standards. And someone is pitching you a $50K/year CSPM. Here's the thing — AWS already ships most of what you need. You just haven't turned it on.I've spent this blog series building pipelines that catch bad code before it ships — Gitleaks, Semgrep, Trivy, ZAP in CI/CD, GHAS as a hard security gate, and DefectDojo as the single pane of glass. But none of that matters if the infrastructure running your code is itself the attack surface. A hardened pipeline deploying to a wide-open AWS account is a locked front door with no walls.
This post is the walls. For every service below, I'll tell you why it matters and what to do first. The full checklists — every CLI command, JSON policy, YAML manifest, and gotcha — live in the cloud-security-checklists repo, organized by provider, category, and resource so you can find exactly what you need without scrolling through a novel.
┌──────────────────────────────────────────────────────────────────────┐
│ CLOUD SECURITY HARDENING MAP │
│ │
│ IDENTITY COMPUTE DATA NETWORK │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ IAM │ │ EC2 │ │ S3 │ │ VPC │ │
│ │ SCPs │ │ Lambda │ │ Secrets │ │ WAF │ │
│ │ Identity │ │ ECS │ │ KMS │ │ SGs │ │
│ │ Center │ │ EKS │ │ ECR │ │ Flow Logs│ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │
│ DETECT AUDIT SCAN │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ GuardDuty│ │CloudTrail│ │ Prowler │ │
│ │ Inspector│ │ Config │ │ Checkov │ │
│ │ Security │ │ CloudWatch│ │ Trivy IaC│ │
│ │ Hub │ │ │ │ScoutSuite│ │
│ └──────────┘ └──────────┘ └──────────┘ │
└──────────────────────────────────────────────────────────────────────┘Start Here: 15 Minutes, 4 Actions, Zero Cost
These four P0 items eliminate the most common AWS breach vectors. All free. All under 15 minutes.
| Priority | Service | Action | Time |
|---|---|---|---|
| 🔴 P0 | S3 | Account-level Block Public Access | 2 min |
| 🔴 P0 | IAM | Enable Access Analyzer | 5 min |
| 🔴 P0 | EC2 | Enforce IMDSv2 via SCP | 15 min |
| 🔴 P0 | EC2 | Enable EBS encryption by default | 2 min |
Or run them all at once with the quick-wins script.
The 11 Security Layers
1. IAM: The Root of All Cloud Evil
Every AWS breach starts with identity. Over-permissioned roles, unused access lingering for months, no MFA on console users. Start with Access Analyzer (free, identifies exposed resources and unused permissions), enforce guardrails with SCPs (which now support the full IAM policy language as of September 2025), and set permission boundaries on developer roles so they can create resources but never exceed their permissions ceiling.
For automated IAM right-sizing, the IAM Least Privilege Toolkit walks you through the full pipeline: record → refine → validate → deploy.
👉 Full IAM checklist with commands & policies
2. S3: One Checkbox Away from a Breach
S3 misconfigurations are still the #1 cause of data breaches in AWS. The fix is embarrassingly simple: one account-level setting blocks public access on every bucket. Follow that by killing legacy ACLs (disable them entirely with BucketOwnerEnforced) and enabling default SSE-S3 encryption. For multi-team environments, use S3 Access Points instead of one giant bucket policy.
3. EC2: Kill SSH, Enforce IMDSv2, Encrypt Everything
Three changes eliminate entire attack categories. IMDSv2 blocks SSRF-based credential theft (enforce it org-wide via SCP so nobody can launch IMDSv1 instances). SSM Session Manager replaces SSH — no keys to rotate, no bastion hosts to patch, no port 22 in security groups, and every session is logged. EBS encryption by default has zero performance overhead.
4. Lambda: One Function, One Role, No Exceptions
The biggest Lambda security mistake is sharing execution roles across functions. One compromised function escalates to everything that role can touch. Give each function a scoped role with only the permissions it needs, set reserved concurrency to prevent runaway costs, and enable code signing to reject untrusted deployments.
5. ECS/Fargate: Task Role vs Execution Role
The most common ECS misconfiguration: conflating the task execution role (pulls images, writes logs) with the task role (what the application can do). Get this wrong and your app has infrastructure-level permissions. Separate them, inject secrets via the secrets field (not environment variables — those are visible via describe-task-definition), and use ECS Exec for debugging instead of SSH.
6. EKS/Kubernetes: Pod Security, RBAC, and the New Pod Identity
Kubernetes security has gotten significantly better since 2024. Pod Security Standards (built-in, no add-ons needed) prevent privileged containers at the namespace level. EKS Pod Identity (replaces IRSA) removes the OIDC complexity. NetworkPolicies control east-west traffic. For runtime detection, Falco (CNCF graduated) catches shell spawns, unexpected connections, and privilege escalations. Run kube-bench for CIS compliance and OPA Gatekeeper for admission policies.
👉 Full EKS/Kubernetes checklist
7. Container Images: Scan, Shrink, Sign
Your runtime is only as secure as your base images. Scan with Trivy (already in the DevSecOps pipeline), generate SBOMs with Syft for supply chain visibility, sign with Cosign for provenance, and switch to Distroless or Chainguard base images (no shell, no package manager, 50%+ fewer CVEs).
👉 Full Container/ECR checklist
8. Secrets Management: Parameter Store Is Free, Secrets Manager Rotates
Two services, different use cases. Parameter Store is free and good for config. Secrets Manager costs $0.40/secret/month but auto-rotates. Most teams need both. For Kubernetes, the external-secrets-operator syncs AWS secrets into K8s Secrets automatically — no more kubectl create secret with hardcoded values.
9. Network Security: Three Tiers, One Principle
ALB in public subnet → app in private → data in isolated. Each tier's security group references the tier above it (not CIDR blocks — SG-to-SG references survive IP changes). Enable VPC Flow Logs for visibility into rejected traffic, enable GuardDuty for threat detection (30-day free trial), and add WAF rate limiting for basic DDoS protection.
👉 Full VPC checklist | GuardDuty & WAF checklist
10. Logging & Detection: CloudTrail Is Free (Mostly)
CloudTrail management events are free for 90 days. Enable a multi-region trail and send to S3 for long-term retention. Enable S3 data events selectively on sensitive buckets. Security Hub aggregates findings from GuardDuty, Inspector, Config, and Prowler into a single compliance view. CloudWatch Logs Insights lets you hunt for suspicious activity (IAM policy changes, rejected traffic patterns, unusual console logins).
👉 CloudTrail checklist | Security Hub | CloudWatch
11. Scanning Tools: The Trifecta
Three tools cover the entire lifecycle: Checkov scans IaC before deployment (5000+ rules), Prowler audits the running account (240+ CIS, PCI, HIPAA checks), and Trivy handles container images, IaC, and SBOMs in one tool. Checkov pre-deploy + Prowler post-deploy = comprehensive coverage with zero overlap. Both feed into DefectDojo for tracking.
👉 Prowler checklist | Checkov | Trivy
The Hardening Priority Table
| Priority | Service | Action | Cost | Time |
|---|---|---|---|---|
| 🔴 P0 | S3 | Account-level Block Public Access | Free | 2 min |
| 🔴 P0 | IAM | Enable Access Analyzer | Free | 5 min |
| 🔴 P0 | EC2 | Enforce IMDSv2 (SCP) | Free | 15 min |
| 🔴 P0 | EC2 | Enable EBS encryption by default | Free | 2 min |
| 🟠 P1 | EC2 | Switch from SSH to Session Manager | Free | 1 hour |
| 🟠 P1 | IAM | Deploy SCPs for guardrails | Free | 2 hours |
| 🟠 P1 | CloudTrail | Enable multi-region trail | Free | 15 min |
| 🟠 P1 | GuardDuty | Enable (30-day free trial) | Free→$ | 5 min |
| 🟡 P2 | EKS | Enable Pod Security Standards | Free | 30 min |
| 🟡 P2 | ECS | Separate task role vs execution role | Free | 1 hour |
| 🟡 P2 | Lambda | Function-specific execution roles | Free | 2 hours |
| 🟡 P2 | Network | VPC three-tier architecture | Free | 4 hours |
| 🟢 P3 | Images | Trivy scanning + Distroless | Free | 3 hours |
| 🟢 P3 | EKS | Deploy Falco runtime security | Free | 2 hours |
| 🟢 P3 | Secrets | Secrets Manager + rotation | $0.40/secret | 4 hours |
| 🟢 P3 | Scanning | Prowler weekly + Checkov in CI/CD | Free | 3 hours |
Start with P0 — four actions, all free, under 30 minutes. The full checklists with every CLI command, policy, and config are in the cloud-security-checklists repo.
How This Fits the Ecosystem
This post completes the infrastructure layer of the security stack we've been building across this series:
┌──────────────────────────────────────────────────────────────────┐
│ FULL SECURITY STACK │
│ │
│ CODE SECURITY INFRA SECURITY (this post) │
│ ┌────────────────┐ ┌──────────────────────────┐ │
│ │ DevSecOps │ │ Cloud Security Checklists │ │
│ │ Pipeline │ │ IAM, S3, EC2, Lambda, │ │
│ │ (Gitleaks, │ │ ECS, EKS, VPC, Secrets, │ │
│ │ Semgrep, │ │ Prowler, Checkov, Trivy │ │
│ │ Trivy, ZAP) │ └──────────┬───────────────┘ │
│ └───────┬────────┘ │ │
│ └──────────┬──────────────────┘ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ DefectDojo │ ← All findings aggregated │
│ └────────┬────────┘ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ MCP SecOps │ ← AI-powered investigation │
│ │ Suite │ │
│ └─────────────────┘ │
└──────────────────────────────────────────────────────────────────┘Everything connects: the pipeline secures the code, the checklists secure the infrastructure, Prowler audits the cloud posture, findings flow into DefectDojo for tracking, and the MCP Security Ops Suite ties it all together with AI-powered investigation.
No $50K CSPM. No vendor lock-in. Just AWS-native controls, open-source tools, and the discipline to turn them on.
Resources
Repo: cloud-security-checklists — Every CLI command, policy, and config from this post, organised by service
Chaos to Control ecosystem:
- DevSecOps Pipeline — CI/CD security gates
- IAM Least Privilege Toolkit — Automated IAM right-sizing
- AWS Security Notification System — Real-time Slack alerts
- MCP Security Ops Suite — AI-powered SOC tooling
Previously in this series:
- Building a DevSecOps Pipeline with GitHub Actions — Part 1
- Building a DevSecOps Pipeline — Part 2: Making the Gates Actually Work
- Stop Alerting, Start Blocking: GHAS as a Security Gate
- DefectDojo: Your Security Single Pane of Glass
- Automated AWS Security Auditing with Prowler
- IAM Least Privilege: Auditing & Right-Sizing Permissions
- MCP × SecOps: Wiring 30+ Security Tools into One AI-Powered Nerve Centre
