Security · Insights ·

7 AWS security mistakes we see every week

Repeated misconfigurations that show up in almost every review — and the fixes that do not require a six-month security program.

You do not need a novel zero-day to have a bad week on AWS. Most incidents we help triage start with known misconfigurations that were never prioritized. Here are seven we see in reviews across Maine, New England, and remote US teams.

1. Long-lived access keys on humans

IAM users with access keys older than 90 days — often tied to a former contractor’s laptop script. Fix: IAM Identity Center for people; keys only for break-glass automation with rotation.

2. Public S3 buckets (or buckets that became public)

“Temporary” public reads for marketing assets that never got locked down. Fix: Block Public Access at account level; CloudFront OAC for website origins; periodic audits with Access Analyzer.

3. Security groups that say 0.0.0.0/0 on admin ports

SSH, RDP, or database ports open to the internet “for debugging.” Fix: SSM Session Manager, bastion with IP allowlists, or VPN; never permanent open admin ports.

4. No MFA on privileged roles

AdministratorAccess available without MFA for console users. Fix: enforce MFA in IAM Identity Center; reduce who has admin; use permission sets per account.

5. CloudTrail off or single-region only

No organization trail, or logs retained for 14 days with no alerting. Fix: multi-region trail, log file validation, S3 lifecycle + SNS/Security Hub integration.

6. Default VPC resources treated as “prod”

Workloads launched in the default VPC with default NACLs and no segmentation. Fix: explicit VPC design; separate accounts for prod vs. non-prod via Organizations.

7. Encryption optional “for now”

Unencrypted EBS, RDS without KMS, secrets in plain environment variables. Fix: default encryption policies; Secrets Manager; KMS keys with clear ownership.


None of these require buying a dozen security tools on day one. They require habit: baseline checklist, monthly review, and someone accountable after go-live. For a structured starting point, use our pre-migration security checklist and shared responsibility primer.