Ah yeah for IAM the defaults seem sane, true!
The things that I've come across recently is that encryption at rest is usually disabled (
EBS, SQS, S3, SNS, Kinesis, Cloudwatch log groups, Cloudtrail). Some of these have server side encryption and then it's easy to just check that box, other require you to set up KMS keys etc.
Audit logs are in many cases disabled by default (RDS, S3, OpenSearch, ELB).
S3 does not require TLS requests by default.
ECR does not have image scanning enabled by default.
Also new accounts almost all regions enabled and a default VPC in each (and subnets, route tables, security groups, internet gateway, dhcp option set). Unused VPCs are not recommended to keep around but I suppose it makes onboarding easier.
Good points. Totally agree about encryption - I think S3 is a legacy case where SSE-S3 is implemented differently to SSE-KMS, but still I'd be on board with KMS encryption (using an AWS managed key) as the default.
Audit logging costs money, so I'm on the fence about that.
A default VPC is easy to disable in enterprise deployments, but for the rest of us it is necessary to do quick tests with EC2-adjacent services - I'd be in favour of it not existing until you try to launch something though.
Audit logs are in many cases disabled by default (RDS, S3, OpenSearch, ELB).
S3 does not require TLS requests by default. ECR does not have image scanning enabled by default.
Also new accounts almost all regions enabled and a default VPC in each (and subnets, route tables, security groups, internet gateway, dhcp option set). Unused VPCs are not recommended to keep around but I suppose it makes onboarding easier.