A root user is created by default with an AWS account. It is recommended to not use the root user for operations other than billing or support contract modifications. For all other operations, IAM should be used.

The first step should be to enable MFA on the root user to ensure its security. IAM Users can be configured with granular IAM policies to govern their access in the environment, or AWS SSO can be utilized (especially in multi-account environments).

AWS Budgets allows you to set custom budgets to track your cost and usage from the simplest to the most complex use cases. With AWS Budgets, you can choose to be alerted by email or SNS notification when actual or forecasted cost and usage exceed your budget threshold:

Another option is to use CloudWatch to set up billing alarms for notifications when an AWS bill reaches a specific threshold:

Ensure governance, compliance, operational auditing, and risk auditing of AWS accounts by configuring AWS CloudTrail and AWS Config:

• AWS CloudTrail provides event-history of an AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services.
• AWS Config tracks changes in configurations and relationships between AWS resources and provides detailed resource configuration histories. Config can also be used for overall configuration compliance using Config Rules.

CloudTrail and Config store their logs in S3 buckets. CloudTrail also provides an option to forward logs to a CloudWatch Log Group, which can allow for better search capability and notification creation using CloudWatch metrics and alarms. 

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior by analyzing CloudTrail, VPC Flow Log and DNS Log activity in an AWS Account.

AWS WAF helps protect internet-facing applications and API endpoints. AWS WAF integrates with CloudFront, Load Balancers, and API Gateway to inspect (and optionally drop) traffic deemed malicious. Use the AWS Managed Rules package to get started or one of the partner-managed rule packages (e.g. F5, Imperva, Fortinet, etc.)

AWS provides several services to help monitor configuration and ensure compliance with security standards and best-practices: 

• AWS Security Hub runs automated, continuous security checks based on industry standards and best practices, such as the Center for Internet Security (CIS) AWS Foundations Benchmark, AWS Foundational Security Best Practices and Payment Card Industry Data Security Standard (PCI DSS)
• AWS Config Rules define conditions that describe the target ideal configuration. When resource configuration changes, AWS Config continuously tracks these changes and checks whether they violate the defined rules.
• Amazon Macie is used to discover, monitor, and help you protect sensitive data in Amazon S3. Macie automates the discovery of sensitive data, such as personal identifying information (PII) and intellectual property. Macie also identifies overly permissive or unencrypted buckets across AWS accounts.  
• IAM Access Analyzer helps identify resources in AWS accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity, and alert when that happens. 
• Trusted Advisor provides real-time guidance to help provision resources following AWS best practices including security checks. 

Configure AWS CloudWatch Events to send real-time notifications for security events and findings based on the AWS security and compliance services enabled (GuardDuty, Security Hub, Trusted Advisor, Config Rules, etc.).

Additional notifications can be configured with CloudWatch Alarms based on specific CloudTrail events in the environment

AWS services such as S3 and EMR provide features to ensure public access is not permitted in the account. For other services, set up Config rules to detect if public access is allowed:

AWS provides data-at-rest options and key management (AWS KMS) to support the encryption process. Use KMS to create customer-managed keys to be used to encrypt AWS resources.

AWS services such as EC2 include settings to enable default encryption for all instances.

In new AWS accounts, it is recommended to delete the default VPC, and create new VPCs with separate subnet tiers for public and private resources, and utilize multiple availability zones (AZs) for high availability. Build a custom VPC that fits your environment using the following templates:

Define Security Groups to govern network access within the VPC. Security groups whitelist traffic by protocols, ports, and source IP addresses (or security groups). For an additional layer of security, use Network Access Lists (NACLs) to allow or deny traffic on the subnet level.

Choose from one of the following predefined templates to deploy security groups and NACLs (or build custom ones) into an existing VPC :

Add IPS, URL Filtering, Rate Limit rule capabilities by using AWS Network Firewall in a VPC:

AWS provides capabilities to log network activity for resources deployed in VPCs using the following options:

• VPC Flow Logs capture network flow information for IP traffic going to and from network interfaces in a VPC (includes source/destination IP address and ports, bytes transferred, firewall action, and more). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3
• VPC Traffic Mirroring creates a copy of the network traffic to/from a specific interface in a VPC and streams it to a specified destination for analysis
• VPC DNS Logging monitor DNS queries in a VPC by configuring Route53 Resolver Query Logging

Use AWS SSM Session Manager or EC2 Connect to access EC2 instances without relying on long-term keys, and to provide an audit trail for users access instances. Session Manager also allows logging users' sessions to CloudWatch Logs or S3:

• AWS Session Manager: Uses the AWS Systems Manager (SSM) agent to provide a bash or powershell session for the IAM user, without having to open any inbound ports on the instance. 
• EC2 Connect: Supported on CentOs and Amazon Linux, and allows pushing a temporary SSH key for one-time sessions over SSH.

Both services use IAM for authentication (which can be federated to Active Directory or other providers), and CloudTrail for audit logging.

Set up automated vulnerability and patching for EC2 instances to ensure they are not affected by the latest vulnerabilities and have the latest patches applied regularly:

• Amazon Inspector is an agent-based solution that can be used to run recurring vulnerability assessments (as well as other packaged assessments such as CIS standards and security best practices).
• AWS Systems Manager (SSM) Patch Manager scans and installs missing patches on EC2 instances. Create SSM Maintenance Windows to regularly run these operations and control how patching is applied.