Short version: Scan images in ECR, use immutable tags, assign least-privilege roles to tasks/pods, keep roots read-only, and send logs/metrics to CloudWatch.

1) ECR hygiene

• Enable image scanning and lifecycle policies (expire old tags).
• Use immutable tags (no latest); pin digests in deployments.

2) IAM & secrets

• ECS: task roles per service; no shared “god” role.
• EKS: IRSA (OIDC) per-service account; tight IAM policies.
• Secrets from Secrets Manager/SSM; never bake into images.

3) Runtime

• Non-root users; read-only root filesystem; drop capabilities.
• Network SGs per task/service; no 0.0.0.0/0 exposures unless deliberate.
• Logs to CloudWatch; set retention and a few alarms.

4) Supply chain notes

• Build in CI with minimal base images; sign artifacts if possible.
• Block unsigned images in policy (admission controller or task policy).