How to secure AWS network

Enable FlowLogs at VPC level to diagnose too permissive security groups. Configure the FlowLogs to publish to CloudWatch.
Use ‘Network Access Analyzer’ to know about the possible network paths to your resources. Based on the findings, you can adjust the network configuration to restrict the traffic.
Create a Network Firewall in the VPC and direct all traffic through it. AWS Network Firewall can detect and protect from intrusion, block unwanted domains, malware and common network threats. You can write rules upon which traffic can be controlled.
Create your services such as EC2, RDS in private subnets of the VPC, with no inbound access from internet.
Configure subnet routing tables with minimum network routes required for connectivity.
Use VPC endpoints (AWS PrivateLink) to connect to AWS services (such as S3) using private IP addresses (e.g. from EC2). The traffic stays within AWS private network. This way, you don’t need Internet gateway or NAT device.
Properly configuring security groups and Network ACLs greatly enhances security of your environment.
Consider adding multiple security groups for EC2. One for data traffic and another for EC2 management traffic. This way, implementing IAM policies for change control and also auditing becomes easier.

Setup a network perimeter

Ensure your identities and resources can be used from expected networks only. The expected networks could be your corporate network IP CIDR, VPC, your third-party partners trusted networks or other AWS services.

For example, to set up a network perimeter on a critical S3 bucket, following policy could be set on the bucket. The bucket has a tag “data-perimeter-include” set to true.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceNetworkPerimeter",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::<my-data-bucket>",
        "arn:aws:s3:::<my-data-bucket>/*"
      ],
      "Condition": {
        "NotIpAddressIfExists": {
          "aws:SourceIp": "<allowed-corporate-ip-cidr>"
        },
        "StringNotEqualsIfExists": {
          "aws:SourceVpc": "<my-vpc>",
          "aws:PrincipalAccount": [
            "<third-party-account-a>"
          ]        },
        "BoolIfExists": {
          "aws:PrincipalIsAWSService": "false",
          "aws:ViaAWSService": "false"
        },
        "ArnNotLikeIfExists": {
          "aws:PrincipalArn": "arn:aws:iam::<my-account-id>:role/aws-service-role/*"
        },
        "StringEquals": {
          "aws:PrincipalTag/data-perimeter-include": "true"
        }
      }
    }
  ]}

If you are using AWS organizations, set SCP policies to achieve the network perimeter for data access.