VPC security and IAM best practices with AWS Config

Introduction

In this tutorial we cover VPC security and IAM best practices while showing how to implement automated compliance checks using AWS Config and AWS Security Hub. You will learn design patterns for secure networks, practical IAM controls, and step‑by‑step automation to detect and respond to misconfigurations at scale. Follow the examples to reduce risk and speed remediation.

Designing secure VPCs

Start with a predictable network layout: separate public and private subnets, use route tables that avoid direct routing to the internet from private resources, and limit exposure through security groups not NACLs for fine-grained control. Apply these practical controls:

• Use at least two AZs with private subnets for workloads and dedicated public subnets for load balancers.
• Enforce least exposure: security groups should follow a deny‑by‑default mindset (no wide 0.0.0.0/0 openings for RDP/SSH). Restrict management access via bastion hosts or AWS Systems Manager Session Manager.
• Enable VPC Flow Logs to S3 or CloudWatch Logs to monitor traffic patterns and detect anomalies. Example: create flow logs for a VPC and send to CloudWatch Logs for centralized analysis.
• Use VPC endpoints (Gateway/Interface) for AWS services to avoid traffic traversing the public internet and reduce the attack surface.

Implementing IAM best practices

IAM is critical to secure operations. Adopt these best practices and checks as part of your baseline:

• Least privilege: create narrowly scoped roles and policies. Prefer IAM roles to long‑lived access keys.
• Enable MFA for console access and root account; remove or rotate unused access keys. Use services like AWS Secrets Manager for programmatic credentials when appropriate.
• Use IAM Access Analyzer to detect resources shared with external principals and set policy boundaries to constrain privilege escalation.
• Centralize identity with AWS Single Sign‑On (IAM Identity Center) or federation to reduce IAM user sprawl and improve auditing.

Example check: audit policies for wildcard actions (“Action”: “*”) and remove or tighten them. Use IAM Access Advisor and Access Analyzer to validate permissions used in production.

Automating compliance with AWS Config

AWS Config continuously assesses resource configurations against rules so you can detect drift and misconfigurations. Implement these automated checks:

• Enable AWS Config recorder and delivery channel to an S3 bucket and, optionally, aggregator for multi‑account visibility. Example CLI commands:

aws configservice put-configuration-recorder –configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/ConfigRole

aws configservice put-delivery-channel –delivery-channel name=default,s3BucketName=my-config-bucket

aws configservice start-configuration-recorder –configuration-recorder-name default

• Use managed AWS Config rules (for example, verify VPC flow logs are enabled, check for public RDS snapshots, or evaluate security group port exposure). Add rules via the console or CLI: aws configservice put-config-rule –config-rule file://rule.json.
• Create custom Config rules backed by Lambda to evaluate nuanced policy constraints such as enforcing specific tag patterns, checking IAM policy statements for high risk, or verifying that VPC endpoints exist for S3 in private deployments.

Tip: bundle rules into a Conformance Pack for consistent deployment across accounts.

Aggregating findings in AWS Security Hub and response

AWS Security Hub centralizes findings from Config, GuardDuty, Inspector, and partner tools and maps them to standards such as the CIS AWS Foundations benchmark.

• Enable Security Hub: aws securityhub enable-security-hub. Then enable standards (for example CIS AWS Foundations) via the console or API to get prioritized control checks.
• Connect AWS Config as a data source so noncompliant Config rules surface as Security Hub findings. Security Hub normalizes findings and assigns severity so you can prioritize remediation.
• Automate response workflows: create CloudWatch Events (EventBridge) rules that trigger AWS Lambda or Systems Manager Automation documents when a high‑severity finding appears. Example: on detection of an overly permissive security group, automatically remove the offending ingress rule and notify the security channel.
• Measure and iterate: track mean time to detect (MTTD) and mean time to remediate (MTTR) using Security Hub findings and runbooks. Use Security Hub insights to filter recurring issues across accounts.

Putting it together: example workflow

An example flow: you enable AWS Config across an organization with a config aggregator, deploy a conformance pack enforcing VPC and IAM checks, and enable Security Hub with CIS standards. A Config rule flags an S3 bucket open to public; Config produces a finding that forwards to Security Hub, which triggers an EventBridge rule that runs an AWS Lambda to remediate (lock the bucket ACL) and posts a detailed message to an incident Slack channel for manual review.

Conclusion

VPC security and IAM best practices paired with automated AWS Config checks and Security Hub aggregation form a repeatable security baseline. Design networks with least exposure, enforce least privilege in IAM, and automate detection and response so misconfigurations are found quickly and fixed consistently. Start small with high‑risk rules, measure results, and expand coverage across accounts.