Security groups
When you create a new instance, segment your security groups. E.g. don’t put the SSH port in the main applications security group
For each security group decide whether the group should have a public IP (back end servers won’t need a public IP)