- First read the Amazon Security Whitepaper and the Amazon discussion of Security processes

- Ensure the system key is encrypted at start-up

- Ensure you plan for load balancing in case an instance goes down. Ensure you understand all the security implications of this and harden any other instances.

- Test or emulate the performance of applications deployed to the cloud in all geographies where you plan to deploy them. The latency could vary greatly for each.

- Never ever allow password base authentication for shell access.

- Encrypt all network traffic always.

- Always encrypt everything stored on S3

- Encrypt file systems for Block devices

- Open only the minimum required ports

- Include no authentication information in any AMI images

- Think about how your system can be hardened and what is out there such as SELinux, PAX,  ExecShield etc

- Don’t allows any decryption keys into the cloud – understand the perils of keys and security

- Install host based intrusion detection system such as OSSEC

- Regularly backup Amazon instances and store them securely. 

- Use Security Groups. With EC2 security groups, you can completely isolate every tier, even internally to the EC2 cloud.

- Design in a way you can issue security patches to AMI instances

The nightmare scenario that you cannot cater for is is that Xen has unforeseen security issues which would allow inter-VM communication and which in essence would enable instance spying. Amazons doomsday scenario…..