Security Policy¶ Controls¶ Private S3 bucket CloudFront OAC TLS 1.2 minimum IAM least privilege Optional Enhancements¶ AWS WAF IP allow-list SSO authentication