Identity and Access Management (IAM)
IAM is the new perimeter. Compromised cloud credentials are the primary vector for infrastructure breaches.
- MFA Enforcement: Multi-Factor Authentication is enforced for all IAM users, especially the root account.
- Least Privilege Roles: EC2 instances or Lambda functions are assigned specific IAM roles with only the permissions necessary to execute their tasks, rather than attaching broad administrative policies.
- No Hardcoded Credentials: Access keys are not hardcoded in source code or committed to Git. Developers use AWS SSO or temporary STS tokens.
- Inactive Key Rotation: Access keys older than 90 days are automatically disabled or rotated.
Storage and Data Security
Leaking KYC documents from an open S3 bucket is a career-ending event for a fintech CTO.
- Block Public Access: AWS S3 Block Public Access is enabled at the account level. Any buckets requiring public access (e.g., serving frontend assets) are explicitly isolated.
- Encryption at Rest: All EBS volumes, RDS databases, and S3 buckets are encrypted using KMS (Key Management Service) or equivalent.
- Database Isolation: Databases (RDS, Aurora, Postgres) are placed in private subnets with no public IP addresses assigned. Access is only allowed via specific application security groups or a bastion host.
Need a professional review of your AWS or Azure infrastructure?
Book a Cloud Architecture ReviewNetwork Configuration (VPC)
A flat network allows an attacker who compromises a single web server to pivot to the database layer.
Security Groups
Security groups act as strict allow-lists. Ensure port 22 (SSH) and 3389 (RDP) are never open to 0.0.0.0/0.
Network ACLs
NACLs are used as a secondary defense layer to block known malicious IP ranges at the subnet boundary.
WAF Integration
A Web Application Firewall (AWS WAF, Cloudflare) is deployed in front of all public-facing APIs to block SQLi, XSS, and rate-limit abusive traffic.
Logging and Incident Response
If you are breached, logs are the only way to determine what the attacker accessed.
- CloudTrail Enabled: AWS CloudTrail (or Azure Monitor) is enabled in all regions, logging all API activity across the account.
- Log Protection: Logs are stored in a dedicated, restricted S3 bucket with MFA Delete enabled to prevent attackers from covering their tracks.
- GuardDuty / Security Hub: Threat detection services are enabled to alert on anomalous behavior, such as API calls originating from unusual Tor exit nodes.
Aligning cloud posture with compliance
Tools like AWS Security Hub or third-party CSPM (Cloud Security Posture Management) platforms can continuously map your infrastructure against frameworks like PCI DSS or CIS Benchmarks. This turns compliance from an annual scramble into a continuous dashboard metric.
Related reading
Blog: 10-Point Security Checklist
Guides: Fintech Security Checklist
Services: Secure Architecture Review · Vulnerability Assessment
Frequently asked questions
{faq.q}
{faq.a}