Principle of least privilege for least time

Use temporary credentials when possible (IAM roles, Instance profiles)

Enforce MFA and strong password practices

Rotate credentials regularly

Security in Depth - Apply security in all layers

VPCs and Private Subnets (Security Groups and Network Access Control List)

Use hardened EC2 AMIs(golden image) - Automate patches (OS, Software..)

Use CloudFront with AWS Shield for DDoS mitigation

Use WAF with CloudFront and ALB (Protect web apps from XSS, SQL injection etc)

Use Infrastructure As Code (Automate provisioning infra that adheres to security

policies)