The baseline work every other guide on this site assumes you have done. Pick the right OS-family baseline for your stack, layer the SSH hardening on top, and the firewall / AppArmor / SELinux / auditd controls turn a fresh image into something defensible. Read in order if you are starting from a provider snapshot; jump to the piece relevant to your distro if you are auditing an existing host. Pairs with launch-readiness for the pre-go-live verification layer.