Phase 1: Infrastructure Protection

Develop a multi-account model where appropriate to isolate blast radius, an example of this would be a development account compared to a production account, or even accounts for different departments that correspond to their different workloads. You can utilize automation services such as AWS Control Tower to automatically set up and control new multi-account AWS environments.

Protect your root accounts. It is best practice to not utilize root accounts for daily activities. Root access keys should also not be utilized and deleted, unless strictly required. MFA should of course be set up on these and other IAM user accounts.

Within your VPCs and subnets, create network ACLs and security groups to control both inbound and outbound traffic. Make sure you are abiding by principles of least privilege and only allowing required traffic.

Make sure to have devised a strategy for both encryption at rest and encryption in transit, utilizing AWS Key Management Service (KMS) and its different flavors for your particular environment and requirements.

Enable and utilize Amazon GuardDuty, which looks for threat indicators communicating with your cloud environment. Make sure to have a dedicated personnel to regularly check on these events to take action as necessary.

Utilize AWS config rules. Some rules are prepackaged and extremely useful, for example detecting open buckets and using automation to fix this issue, or identifying critical open ports such as SSH or RDP to the internet.

Run AWS Trusted Advisor periodically so that you can evaluate security controls in your AWS cloud environment.

Phase 2: Security Insights

Utilize Amazon Inspector to look for vulnerabilities while utilizing AWS Patch Manager to increase patch posture visibility and automate the mitigation processes.

At this point, you should be utilizing Amazon GuardDuty, AWS Config, and Amazon Inspector. You can now enable AWS Security Hub to collect data from these services to leverage it as your single pane of glass to evaluate security findings and prioritize your actions.

You would benefit from defining your end-point security strategy. Select the most appropriate endpoint detection and response (EDR) solution that you can use in your instances

If you are utilizing public facing web applications, you must have a DDoS protection strategy, consider utilizing AWS Shield Standard, AWS Shield Advanced, and AWS WAF.

If you are utilizing databases for your applications, utilize AWS Secrets Manager to protection your database credentials and implement scheduled rotation of these secrets.

Phase 3: Security Automation

In this phase you can start deploying incident response automation strategies, utilizing the power of native cloud APIs to reduce the time between incident detection and mitigation.

Leverage AWS Lambda and other serverless services such as AWS Step Functions to automate incident response processes.

During a real incident, you will not have time to test a lot and will need to already be as prepared as possible. Execute tabletop exercises (discussion-based sessions), create runbooks and playbooks, and consider executing game days and cyberattack simulations.