Security, cost, and operational excellence for AWS workloads.
Tip: Log in to save your checklist progress across devices.
Lock down the root user with hardware MFA and never use it for daily operations.
Prefer IAM roles for EC2, ECS, Lambda. Rotate any access keys regularly.
Capture every API call. Send to a centralized, immutable S3 bucket.
KMS-encrypt S3, EBS, RDS, Snapshots — and enforce via SCPs.
Avoid public internet for AWS service traffic where possible.
Mandatory tags: Owner, Environment, CostCenter, Project.
Multi-account strategy with guardrails enforced by SCPs.
Review CloudWatch metrics; commit for predictable workloads.
Continuous compliance monitoring against CIS/NIST.
Automated cross-region backups; documented DR runbook tested quarterly.