AWS is chuck full security features. Every service has its own array of knobs to turn and checkboxes to tick. And when you get to be the size of AWS, there's bound to be some features that are rarely used. Maybe you'd describe this as "feature creep". You might not be wrong.
Still, the functionality is there already, so why not give some of those knobs and dials a twist. Here are a few that I've found to be interesting.
S3 Object Lock
S3 object lock is a feature that can be enabled for S3 that prevents objects from being deleted or overwritten for a specified period of time. The amount of time is specified by setting a retention period or a legal hold. A legal hold will "lock" objects indefinitely.
There are also a couple of modes that can be set for objects configured with object lock: compliance mode and governance mode. Governance mode prevents most users from deleting or overwriting "locked" objects, but still allows more privileged users when the correct IAM conditions are used. Compliance mode stops any and all users from deleting or overwriting objects (even root). In fact, compliance mode is so stringent that you have to delete the entire AWS account if you want to delete the objects before the retention period expires.
Your buckets also need to have S3 versioning enabled.
As some of the options hint at, S3 object lock is useful for organizations that need to retain data for certain periods of time as part of compliance or regulatory requirements.
Here's the documentation.
DynamoDB Table Deletion Protection
It's odd to me that I've seen this one so rarely used. If you log into the web console and look at your tables there's a column for it by default. You'd think more people would use it.
In all fairness, the documentation is actually pretty hard to find (though there are a few easy to find blog posts).
DynamoDB deletion protection is a property that can be enabled on a table to prevent it from being deleted even by authorized users. This property is disabled by default for new DynamoDB tables.
While not the most useful on a dev account, it can add a great layer of protection for production accounts. Sysadmins may need to be able to delete tables for account maintenance, but some tables should never be removed. To allow a protected table to be deleted, simply change the property back to disabled.
It adds another step of thought to the process that can stop someone from accidentally deleting the wrong table.
Here's the documentation for this one.
Lambda Code Signing
AWS Lambda can leverage the AWS signer service to validate code that it runs. By signing code, you can ensure that the code writer has the required permissions to create and deploy code to your Lambda functions.
To do this, a "signing profile" is created in the AWS signer service. The signing profile is then used to sign code, and since access to the signing profile is controlled by IAM, we now have another layer of validation for our code. AWS Lambda can be set to either warn or deny code deployments that are not signed.
The AWS Signer service also integrates with various other AWS services like Amazon ECR, Amazon EKS, and AWS Certificate Manager.
Find the documentation here.