Setting up Zero Trust in AWS is the first step. Managing it requires ongoing attention as users join, accounts are added, credentials remain active, and permissions change over time.
Most AWS security gaps appear after the initial setup. A developer receives temporary administrator access that is never removed. An access key created for a project six months ago remains active. A new AWS account is added to the organization without GuardDuty enabled. A Service Control Policy that should restrict high-risk actions was never created.
These gaps can remain unnoticed until a security incident occurs.
This guide covers three controls used to manage AWS Zero Trust security: MFA for all users and accounts, Service Control Policies that establish organization-level guardrails that individual accounts cannot bypass, and GuardDuty monitoring that keeps threat detection aligned with changes to AWS accounts, users, and applications.
Contents
- 1 Managing Zero Trust Security After Initial Setup
- 2 Require MFA for All IAM Identity Center Users
- 3 Apply Service Control Policies to Protect Organization-Wide Controls
- 4 Remove Long-Term IAM Access Keys
- 5 Monitor and Maintain Zero Trust Controls with GuardDuty
- 6 How AWS Zero Trust Connects With Microsoft 365 Security?
- 7 Managing AWS Security Controls with Netstager Technologies
Managing Zero Trust Security After Initial Setup
Zero Trust is not a one-time setup. Every change in AWS, including new accounts, new team members, and new applications, can create gaps in access controls if they are not reviewed and managed properly.
Common ways Zero Trust controls develop gaps over time:
| Situation | What goes wrong |
|---|---|
| New developer onboarded | Given broad permissions temporarily, never reviewed |
| Employee leaves | IAM Identity Center account disabled but access keys still active |
| New AWS account created | Added to Organizations without GuardDuty or IAM Identity Center configured |
| Project ends | Service account and access keys remain active with no owner |
| Team restructure | Permission sets not updated to reflect new roles |
| No SCP in place | Individual account administrators can disable security controls |
The three controls in this guide address these situations directly.
Require MFA for All IAM Identity Center Users
MFA is one of the most important protections against stolen credentials. If someone obtains a password, they may be able to sign in to AWS if MFA is not enabled.
MFA adds an additional verification step before access is granted. AWS now requires MFA for root users in all account types. The same requirement should apply to every user accessing AWS through IAM Identity Center.
Step 1: Set Up MFA in IAM Identity Center
Go to: IAM Identity Center → Settings → Authentication → MFA .
Set the following:
| Setting | Recommended setting |
|---|---|
| MFA requirement | Required for all users |
| Allowed MFA types | Authenticator apps, FIDO2 security keys |
| SMS-based MFA | Disabled |
| MFA for new users | Prompt at first sign-in |
Why SMS MFA Should Be Avoided: SMS-based MFA is not recommended for a Zero Trust security model. SIM-swap attacks and message interception can give attackers access to one-time passcodes sent to a phone number. FIDO2 security keys and authenticator apps provide phishing-resistant authentication and are the preferred MFA methods.
Step 2: Require MFA for Administrative Permission Sets
For administrator and security team permission sets, add an additional condition that requires MFA before access is granted.
Go to: IAM Identity Center → Permission sets → Select administrator permission set → Inline policy.
Add the following condition to your permission set inline policy:
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}This blocks all actions if MFA was not used during sign-in, even if the permission set includes those actions.
Step 3: Audit Current MFA Status
Before requiring MFA for all users, check which users currently have it enabled.
Go to: IAM Identity Center → Users.
Review each user’s MFA devices. Users without MFA registered should be notified and given a short window, typically 5 to 7 days, to register a device before MFA becomes mandatory.
Apply Service Control Policies to Protect Organization-Wide Controls
Service Control Policies (SCPs) are used at the AWS Organizations level. They specify which actions can or cannot be performed within accounts in the organization, including actions by account administrators and root users in member accounts.
SCPs do not grant permissions. They set the maximum level of access available within an account. Even if an IAM policy in a member account permits an action, an SCP can still block it.
This makes SCPs an important control for preventing Zero Trust security settings from being disabled or bypassed at the account level.
Step 1: Enable Service Control Policies
Go to: AWS Organizations → Policies → Service control policies → Enable.
Once enabled, a default FullAWSAccess SCP is applied to all accounts. This permits all actions by default. You then add deny-based SCPs on top of this to restrict specific actions.
Step 2: Create an SCP to Prevent Disabling GuardDuty
This SCP prevents any user or role in a member account from disabling GuardDuty, deleting findings, or removing the GuardDuty administrator account relationship.
Go to: AWS Organizations → Policies → Service control policies → Create policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"guardduty:DeleteDetector",
"guardduty:DisassociateFromMasterAccount",
"guardduty:StopMonitoringMembers",
"guardduty:UpdateDetector"
],
"Resource": "*"
}
]
}Step 3: Create an SCP to Block Long-Term Access Keys
This SCP prevents the creation of new IAM users with long-term access keys in all accounts.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateAccessKey"
],
"Resource": "*"
}
]
}Step 4: Create an SCP to Restrict Actions to Approved Regions
This SCP prevents any actions in AWS Regions your organization does not use. This reduces your attack surface by limiting regions where GuardDuty may not be enabled or where resources could be created without oversight.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"ap-south-1",
"us-east-1"
]
}
}
}
]
}Replace the region list with the regions your organization actively uses.
Step 5: Attach SCPs to the Correct Organizational Units
Go to: AWS Organizations → AWS accounts → Select OU or account → Policies → Attach.
Attach SCPs to Organizational Units rather than individual accounts where possible. New accounts added to an OU automatically inherit the correct guardrails.
| SCP | Apply to |
|---|---|
| Prevent disabling GuardDuty | Root or all member account OUs |
| Block access key creation | All member account OUs |
| Region restriction | All member account OUs |
Remove Long-Term IAM Access Keys
Long-term access keys attached to IAM users are one of the most common causes of AWS credential compromise. Unlike temporary credentials issued by IAM Identity Center, access keys do not expire automatically. A key created two years ago for a project that ended is still valid unless disabled.
If you completed the IAM Identity Center setup covered in Part 1 of this series, no user should need a long-term access key. All access should go through IAM Identity Center with temporary credentials.
Step 1: Audit All Active Access Keys
Go to: IAM → Users → Select each user → Security credentials.
For each active access key, check:
- When it was last used
- Which service or user is using it
- Whether the owner still works at the organization
Any key not used in the last 90 days should be disabled immediately. Any key with no identified owner should be disabled and investigated.
You can also run this across all accounts using AWS Config:
Go to: AWS Config → Rules → Add rule → Search: access-keys-rotated.
Step 2: Replace Access Keys With the Right Alternative
| Use case | Replace with |
|---|---|
| Developer accessing AWS console | IAM Identity Center temporary credentials |
| Application running on EC2 | IAM instance profile and role |
| Lambda function | IAM execution role |
| CI/CD pipeline (GitHub Actions, GitLab) | OIDC federation — assume IAM role directly |
| Workload running outside AWS | IAM Roles Anywhere |
Step 3: Disable and Delete Unused Keys
Once a replacement is confirmed, disable the access key first. Do not delete it immediately. Disabling allows you to re-enable it quickly if issues occur.
Go to: IAM → Users → Security credentials → Access keys → Deactivate.
After 30 days with no issues reported, delete the key permanently.
Monitor and Maintain Zero Trust Controls with GuardDuty
The setup covered in our Zero Trust setup guide enabled GuardDuty and its protection plans. Keeping GuardDuty requires regular review of findings, alert routing, and coverage as your AWS accounts change.
Step 1: Review GuardDuty Findings Regularly
Go to: GuardDuty → Findings.
Filter based on severity:
| Severity | Action | Review Schedule |
|---|---|---|
| Critical | Investigate immediately. These are confirmed attack sequences. | As soon as alerted |
| High | Review within 24 hours | Daily |
| Medium | Review and assess | Weekly |
| Low | Review for patterns | Monthly |
For each critical finding, check the MITRE ATT&CK mapping included in the finding details. This shows where in the attack sequence the activity is, including initial access, persistence, lateral movement, or exfiltration, and what the likely next steps are.
Step 2: Review IAM Identity Center Access Activity
Go to: CloudTrail → Event history.
Filter for:
- ConsoleLogin events — check for unusual times, locations, or failed attempts
- AssumeRole events — check for roles being assumed outside normal working hours or from unexpected locations
- CreateAccessKey events — should not appear if your SCP is in place
Unusual patterns in these events often indicate an account compromise before GuardDuty generates a finding.
Step 3: Keep GuardDuty Coverage Current
Every time your AWS accounts change, check whether GuardDuty coverage needs to be updated.
| Change | GuardDuty action required |
|---|---|
| New AWS account added | Enable GuardDuty and add to administrator account |
| New region activated | Enable GuardDuty in that region |
| EKS cluster deployed | Enable EKS Protection and Runtime Monitoring |
| RDS database added | Enable RDS Protection |
| Lambda functions added | Enable Lambda Protection |
| S3 buckets with sensitive data | Confirm S3 Protection is active |
Step 4: Set a Review Schedule
| Situation | What to do |
|---|---|
| New employee joining | Add to correct IAM Identity Center group and confirm MFA is registered |
| Employee leaving | Disable IAM Identity Center account, disable any access keys, and revoke active sessions |
| New application added | Review permission sets and confirm no new access keys were created |
| New AWS account added | Enable GuardDuty, attach SCPs, and assign IAM Identity Center permissions |
| Every 90 days | Audit active access keys and review unused permission sets |
| Every 6 months | Review all SCPs, GuardDuty protection plans, and MFA compliance |
How AWS Zero Trust Connects With Microsoft 365 Security?
Organizations using both AWS and Microsoft 365 can apply the same Zero Trust approach on both platforms using a single identity framework.
| Microsoft 365 | AWS | Purpose |
|---|---|---|
| Conditional Access Policies | IAM Identity Center + Verified Access | Control access based on identity and device |
| Entra ID Protection | GuardDuty Extended Threat Detection | Detect and respond to identity threats |
| Microsoft Intune | Verified Access device trust providers | Verify device health before granting access |
| Security Defaults / MFA policies | IAM Identity Center MFA enforcement | Require MFA for all users |
| Azure AD Conditional Access | SCPs (Service Control Policies) | Set organization-wide access guardrails |
If your organization uses Microsoft Entra ID as the identity source for IAM Identity Center, the same users, groups, MFA methods, and device compliance policies apply to both Microsoft 365 and AWS. One identity. One set of controls. Same verification on both platforms.
Managing AWS Security Controls with Netstager Technologies
Enabling MFA, creating SCPs, and removing access keys are individual steps. Keeping them properly set up over time as your AWS setup grows with new accounts, teams, workloads, and changing requirements is an ongoing process.
In most cases, gaps appear not because controls were never set up, but because they were not maintained. An SCP attached to the wrong OU. A GuardDuty finding suppressed and forgotten. An access key disabled but never replaced. A new account added to Organizations without inheriting the correct policies.
After Setup: What Needs Regular Review
- MFA compliance — New users added without MFA registered, or existing users who switched devices and never re-enrolled
- SCP coverage — New OUs or accounts not attached to the correct SCPs at creation
- Access key sprawl — Keys created for temporary projects that remain active long after the project ended
- GuardDuty blind spots — New regions or services added without enabling the required protection plans
- Permission set drift — Roles that gradually gain more access over time
- Compliance changes — Updates to GDPR, HIPAA, or local data protection rules that impact how access logs and controls are set up
Netstager Technologies, an AWS partner in Kerala, supports organizations of different scales. For organizations using both AWS and Microsoft 365, we align Zero Trust controls on both platforms under a single identity framework using Microsoft Entra ID so the same users, groups, and policies apply throughout your setup.
Our AWS Zero Trust Service Includes
|
MFA Audit and Control
Review of current MFA status across all IAM Identity Center users, identification of users without registered devices, and setup of enforcement policies using phishing-resistant MFA methods.
|
|
Service Control Policy Implementation
Creation and attachment of SCPs to protect GuardDuty, restrict access key creation, limit actions to approved regions, and apply organization-wide guardrails for all member accounts.
|
|
Access Key Audit and Removal
Full audit of active access keys across all accounts, identification of unused or unowned keys, and migration of workloads to IAM roles, instance profiles, or OIDC federation.
|
|
GuardDuty Review and Coverage Expansion
Review of existing GuardDuty findings, suppression rules, and protection plan coverage, with updates to ensure all active services and regions are monitored.
|
|
Cross-Platform Identity Alignment
For organizations using Microsoft 365 and AWS together, we connect Microsoft Entra ID as the identity source for both platforms and align Conditional Access Policies with IAM Identity Center permission sets and SCPs.
|
|
Ongoing Monitoring and Maintenance
Review of GuardDuty findings, CloudTrail activity, MFA compliance, SCP coverage, and access key status, with updates as teams and AWS setups change.
|
To review, improve, or maintain your AWS Zero Trust controls, connect with Netstager Technologies.
