AWS in 2025 is complex.

With over 16,000 API methods, 400 service namespaces, and more than 18,000 permissions, mastering AWS is challenging enough. Securing it properly while maintaining this complexity? That seems nearly impossible.

Yet security doesn't have to be complicated. By focusing on these five critical areas—what I call the "5 A's of AWS Security"—you can dramatically simplify your approach while strengthening your protection:

Assets

Where are your resources, and more importantly where is your data? In a world of GenAI, your data isn't just an asset, it's your competitive advantage. But sometimes just knowing where it is is the first challenge.

Actions

Do you know what actions you actually need? AWS permissions are granted by IAM actions. If you want to follow the principal of least privilege, then you need to know and control the actions granted in your environment.

Access

How do you and your team get in to AWS? The "right way" to access AWS has evolved dramatically, leaving many organizations with a confusing mix of access methods.

Alerting

How do you know if bad stuff happens? Is it just when you get a bigger-than-expected bill at the end of the month? Manual security checks guarantee you'll miss critical events, but most monitoring solutions generate overwhelming noise. Focus on the most important things, and don't get distracted.

Attack Surface

What is your public-facing attack surface? Identity is the new perimeter, but if your resources are on the internet then they're going to get attacked.


This post is the starting point of a new series of security articles and practical recommendations that will make securing your AWS environment straightforward and manageable. My goal is to help you spend more time building on AWS and less time worrying about security.