It is important to keep track of configuration changes in your assets. AWS has a service called AWS Config that monitors configuration changes, allows you to remediate undesirable configurations, or restore previous configurations thus correcting configuration deviations.
Rules that verify the existence of open SSH or RDP ports (accessible from any IP) as well as other native rules help strengthen the security posture significantly.
You can perform remediation actions that are based on AWS Systems Manager Automation Documents and identify when a resource becomes non-compliant and send notifications.
https://www.youtube.com/watch?v=oBuLtfGHETY
https://www.xmind.net/m/ACQQq3/